Through constant joint information sharing and pre-emptive defense groupthink, the financial services industry is uniting to diffuse data-theft fallout.
In late 2020, cybersecurity firm Checkpoint reported that India had ranked second for ransomware threats globally, and Sri Lanka was third. However, a study by US-based Temple University found only 28 reported cyberattacks in Asia, indicating a large degree of underreporting.
In the past, ransomware was involved just that—ransom: if you paid the money, control of the data would be returned to your organization. Now, ransomware 2.0 includes extortion tactics to either coerce payment and/or publish sensitive data online to get the victim into further trouble. This has profound implications for financial institutions and other organizations whose businesses depend on their customers’ trust.
While financial institutions, particularly the larger ones, have robust cyber defenses, they remain at risk due to weaknesses in their third-party service providers’ cyber defenses. Ransomware operators are actively directing attacks at these suppliers and third parties, such as the likes of Software AG, which was the victim of CLOP ransomware in Q4 2020.
Multiple revenue streams
Ransomware can take many forms. The ever-evolving attack vector can lock your desktop or mobile device, make changes to your hard drives and disrupt the bootup process, or encrypt data either locally or on servers. It can be delivered with precision through exploiting specific unpatched vulnerabilities in a firm’s IT infrastructure, or it be indiscriminately distributed via spam or email phishing with threat actors looking to capitalize on random opportunities.
Today, even newbie cybercriminals can purchase ransomware kits on the Dark Web and launch attacks without assistance. Our research highlights that in December 2019, a group of ransomware actors had developed a new attack methodology. Rather than just holding their victim’s data for ransom, they began to exfiltrating the data to their own servers before extorting their victims, threatening to leak the data publicly.
This so-called ‘double-tap’ tactic is believed to have been adopted by at least a dozen ransomware groups. These groups have developed dedicated sites through which to leak stolen data should their extortion demands be unmet. More recently, threat actors have been cooperating—sharing intelligence on potential targets through these same data leak platforms to conduct more successful extortions.
Ransomware actors have even added a third layer to their monetization efforts by auctioning compromised data to the highest bidder. This could mean that they are spending time analyzing stolen data to determine its value. If no successful buyer is found they have also been known to publish the data in the public domain.
One attack, multiple fallout victims
The financial services sector comprises just four percent of breaches. Still, we must be mindful that many third-party supplier and vendors we work with (such as energy suppliers, telecommunications providers, IT vendors, and even transportation firms) are also potentially vulnerable to cyberattacks.
With the current remote-working situation due to the pandemic, cloud providers and other providers of remote-work solutions could also become key targets. Our research highlights that even if financial institutions are not directly targeted, they may still suffer fallout from cyberattacks on their partners. In 2019, a ransomware strike on Travelex, a British currency exchange bureau, led to the disruption of operations at multiple banks.
The impact of a ransomware attack on the business could ultimately be much higher than the ransom demanded. Additionally, with new regulatory considerations such as the requirement for mandatory data breach reporting and fines for breaking GDPR, the damage to the firm’s reputation can be significant even in the longer term.
While not all ransomware incidents lead to major outages, the global financial system is highly interdependent. It could only be a matter of time until an attack causes a disruption large enough to affect the operations of multiple institutions, leading to a customer confidence crisis that could impact the economy at scale.
When defence is the best offence
It is essential that financial institutions leverage one of the key tools they have at their disposal and become part of an intelligence sharing community. We have documented criminal groups attempting the same attack on multiple financial institutions across various geographies.
When one member of the financial services community shares information about an attack, vulnerability, or threat, others can quickly raise defenses against it. This lowers the cyberattacker’s return on investment per attack and forces them to return to the drawing board and develop new infrastructure.
When ransomware and other cyber threat attack vectors are made less cost-effective for cyber criminals, they will see such criminal activities as less attractive.
Intelligence sharing also lowers the cost of cybersecurity. Observing the methods and techniques that threat actors are utilizing enables financial institutions to build defenses pre-emptively, and block attacks before their execution.
Ultimately, prevention is cheaper than doing damage control in the aftermath of a successful cyberattack, in terms of both cost and reputation. Previously considered a compliance cost, possessing a superior cybersecurity posture should now be seen as a competitive differentiator in today’s market instead.