Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/10/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Ransomware Raises The Bar Again

The infamous form of attack now ranks as the top threat to financial services, but preparedness can pay off for victims.

Ransomware just got even more real: it's now the number one attack vector in the financial services sector, which traditionally has been considered a model industry for best security practices.

Some 55% of financial services firms recently surveyed by SANS report ransomware as the top attack threat, followed by phishing (50%), which previously held the top spot. More than 32% of financial firms say they've lost anywhere from $100,000 to a half-million dollars due to ransomware attacks.

Ransomware's infiltration of the security-forward financial services industry underscores the dramatic rise in ransomware over the past year and growing pressure on preparedness. The malware that infects machines and holds them for ransom payment by the victim is the fastest-growing form of malware today, with more than 4,000 ransomware attacks per day since January 1 of this year. That's an increase of 300% since 2015, and security experts at Trend Micro say ransomware cost enterprises some $209 million in the first half of 2016.

Attackers are also tucking ransomware alongside and inside other attacks. Some ransomware attacks hold the machine for ransom and then also use it to wage distributed denial-of-service (DDoS) attacks on other victims. More than half of DDoS attacks worldwide ultimately lead to ransomware and other malware attacks, according to a new study by Neustar.

Meanwhile, organizations of all sizes and industries are getting infected with ransomware. The difference between those who get stung and those who survive relatively unscathed is preparedness – and sometimes a little luck.

Take the Hyannis, Mass.-based Barnstable Police Department, which was hit with its first-ever ransomware infection last month. Craig Hurwitz, director of IT at the department, says he noticed something was amiss when the department's dispatch software and records management system stopped working. He took a closer look and spotted files being encrypted and file extensions getting altered.

"I tried to get a file and it wasn't there," he recalls. "And there was a text file in the directory saying 'pay me now.'"

The police department reverted to radio dispatch to patrol cars, and Hurwitz contacted the backup and array vendor from which the Barnstable Police Department had recently purchased a system for data backup and storage capacity, as well as its data timestamp feature. At the time the department purchased the storage array system from Reduxio Systems, it was more about protecting against hard drive corruptions and server crashes. "At the time we weren't thinking about ransomware specifically," he says.

The recovery process with the backup system took 35 minutes with no loss of data or any ransom payment to the attackers. The malware never spread beyond the application server where Hurwitz found it. "They [Reduxio] cloned the drives … and set the timestamp two minutes before the infection had started … and remounted the drives," Hurwitz says.

Backing up data regularly and keeping a clean backup has always been one of the key recommendations for surviving a ransomware infection. Even endpoints running the most up-to-date software, email filters, and other security layers can get hit with ransomware: all it takes is for a user to fall for a phishing email and to open a malicious attachment or link.

But how a backup is managed can be the difference between losing data to the attackers unless you pay, or retrieving data and eradicating the ransomware.

Travis Smith, senior security research engineer at Tripwire, says the old 3-2-1 strategy applies: "Always have three copies of data, one that is offsite [or] offline," he says. "What's also very important for companies to adopt in today's ransomware world: we've seen ransomware that targets backup systems, so when you try to bring backups back online you don't have the ability to restore from the backups."

Backups of critical data should be tested at least every six months, he says, to ensure the data is uncorrupted and accessible.

Smith says clean backups work for about three-fourths of ransomware victims. "Seventy-five percent are successful [in ransomware recovery] if they have backups," he says, meaning they can get to their data and not pay any ransom to the bad guys.

Users shouldn't be storing critical data on their endpoints, either, he notes. Stick with a shared server for that information. "So then you only need to back up one critical server," he says. "If a laptop gets infected with ransomware and the data isn't backed up on a centralized server, you've lost that data."

If backups aren't done properly, it may be cheaper for an organization to pay the ransom, which is not recommended. Regular backup tests can drive down the cost of data restoration and make it more cost-effective than having to resort to actually paying a ransom if the data isn't properly backed up, he says.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/13/2016 | 3:13:47 PM
Re: SANS Financial Services Industry report
Hi @kblackma: The report hasn't been released yet--SANS has a webcast on it & then will release it on Oct. 19 & 20. Here's a link to their press release about it: https://www.sans.org/press/announcement/2016/10/06/1
kblackma
50%
50%
kblackma,
User Rank: Apprentice
10/13/2016 | 1:27:28 PM
SANS Financial Services Industry report
Can you share the link to the SANS report referenced in the article pls? On Financial Services industry ranking ransomware as the top threat.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...