Financial Firms in the Crosshairs of the Big Game Hunters

Ransomware is very much a reality for the finance industry. A recent survey found that 34% of the financial services organisations surveyed were hit by ransomware in 2020 and 51% of the organisations impacted said the attackers succeeded in encrypting their data.  And there’s no sign of attacks slowing down. A separate study showed that ransomware attacks increased by 148 percent in Q3 2021 making 2021 the most costly and dangerous year on record.

Despite security teams’ best efforts, ransomware remains one of the biggest, and most serious issues facing organisations today. The growth of this billion-dollar industry is being fueled in part by the Big Game Hunters, well organised and well-funded criminal gangs, who target only the largest enterprises with the deepest pockets. In addition the barriers to entry for participating in the ransomware industry are effectively non-existent. Financial firms are high on their list of prey.

Profile of a Victim

The New Year’s Eve ransomware attack on Travelex, the currency exchange business, is a prime example of the damage that can be done. The attackers demanded payment to stop them publishing customer data. Some of the company’s core systems were down for weeks, affecting not just its own business but also other companies, including Sainsbury’s and Virgin Money, which used Travelex’s foreign exchange services. Things could not have ended worse for the company and it collapsed into administration seven months after the crippling attack.  Travelex fell victim to the group known as Sodinokibi (aka REvil), which uses a ransomware as a service (RaaS) business model and recruits affiliates to distribute their ransomware.  Of note here is that questions were raised about the security of Travelex’s computer network after it emerged the company waited eight months to patch vulnerable VPN servers….

As illustrated by the Travelex example, the ransomware variants deployed by the Big Game Hunters have multiplied, evolved and become more sophisticated, with their proliferation going virtually unimpeded by security tools as they look to exploit the specific vulnerabilities of a single, high-value target. The top three ransomware variants recorded in 2021 were Conti v.2, Mespinoza, and Lockbit 2.0.

The 2021 Verizon Data Breach Investigations Report indicates that ransomware now makes up 10 percent of all security breaches – double the level from just the previous year.  The attackers are going after the bigger game and they’re catching them to the tune of millions of dollars.

Plan of Attack

Big Game Hunters spend time selecting and studying their targets before conducting any form of attack. With the potential to secure millions of dollars ransom at stake, meticulous planning is important.  They’ll then use more and more sophisticated methods to install ransomware on their victims’ systems. Typically these methods will include looking for RDP servers that are available on the Internet and unpatched, they’ll exploit vulnerabilities, or use webshell-type implants – all of which enable them to gain access to the enterprise, perform reconnaissance and credential dumping, and move laterally to find those hosts they’re after.

Proactive Defending

As the number and sophistication of ransomware attacks continues to escalate, security teams should continually review the tools and business processes that are in place and rethink how their organisation is approaching security. The unfortunate truth is that Big Game Hunters will always be one step ahead, with security teams one, two or three steps behind. But all is not lost. There are steps that organisations can – and must – take.

The starting point lies with a robust cybersecurity policy that outlines the organisation’s cyber defence strategy. This should include the assets and data that need to be protected, the specific threats to those assets and what security tools and processes have to be adopted to deal with these threats

All employees must be continuously trained on – and reminded of – the kind of threats they might face. They must have at least a basic understanding of how to recognise those threats – and what action to take if and when they spot them. Cybersecurity must become the responsibility of the whole organisation, not just the security teams.

And finally, it’s worth reinforcing the importance of ensuring that employees use strong and complex passwords, as this is the first line of defence against a hacker. Regularly changing those passwords is also very important. Worryingly, a recent study found that less than half of users change their passwords after a breach. More education is required, clearly. As an added layer of protection, organisations should also set-up alternative multi-factor authentication processes such as encryption, so that in the event of a password being compromised, the attacker still won’t be able to access the files.

There is a chink of light on the horizon in all this. There’s no doubt that the cyber threat landscape continues to evolve and become ever more complex. And it’s inevitable that at some point organisations will find themselves in the crosshairs of the cyber criminals.

However, there are initiatives being developed to help counter the economics of ransomware. One example is new legislation that would end anonymous domain registration on the continent. This would effectively inhibit the ability of cyber criminals to use anonymous domains as C2 servers and therefore increase the cost of hosting their necessary infrastructure. And in October last year the White House National Security Council convened the Counter-Ransomware Initiative, a 30 nation summit to better connect international law enforcement agency collaboration on disrupting ransomware operations.

The phrase “there’s no silver bullet to prevent a cybersecurity attack” remains as true today as when I first heard it over two decades ago. This means that businesses must prioritise security so that when the inevitable happens and they’re exposed to a breach they have the tools in place to minimise the potential financial, reputational or technologically losses that will likely occur.