Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/10/2016
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Ransomware Raises The Bar Again

The infamous form of attack now ranks as the top threat to financial services, but preparedness can pay off for victims.

Ransomware just got even more real: it's now the number one attack vector in the financial services sector, which traditionally has been considered a model industry for best security practices.

Some 55% of financial services firms recently surveyed by SANS report ransomware as the top attack threat, followed by phishing (50%), which previously held the top spot. More than 32% of financial firms say they've lost anywhere from $100,000 to a half-million dollars due to ransomware attacks.

Ransomware's infiltration of the security-forward financial services industry underscores the dramatic rise in ransomware over the past year and growing pressure on preparedness. The malware that infects machines and holds them for ransom payment by the victim is the fastest-growing form of malware today, with more than 4,000 ransomware attacks per day since January 1 of this year. That's an increase of 300% since 2015, and security experts at Trend Micro say ransomware cost enterprises some $209 million in the first half of 2016.

Attackers are also tucking ransomware alongside and inside other attacks. Some ransomware attacks hold the machine for ransom and then also use it to wage distributed denial-of-service (DDoS) attacks on other victims. More than half of DDoS attacks worldwide ultimately lead to ransomware and other malware attacks, according to a new study by Neustar.

Meanwhile, organizations of all sizes and industries are getting infected with ransomware. The difference between those who get stung and those who survive relatively unscathed is preparedness – and sometimes a little luck.

Take the Hyannis, Mass.-based Barnstable Police Department, which was hit with its first-ever ransomware infection last month. Craig Hurwitz, director of IT at the department, says he noticed something was amiss when the department's dispatch software and records management system stopped working. He took a closer look and spotted files being encrypted and file extensions getting altered.

"I tried to get a file and it wasn't there," he recalls. "And there was a text file in the directory saying 'pay me now.'"

The police department reverted to radio dispatch to patrol cars, and Hurwitz contacted the backup and array vendor from which the Barnstable Police Department had recently purchased a system for data backup and storage capacity, as well as its data timestamp feature. At the time the department purchased the storage array system from Reduxio Systems, it was more about protecting against hard drive corruptions and server crashes. "At the time we weren't thinking about ransomware specifically," he says.

The recovery process with the backup system took 35 minutes with no loss of data or any ransom payment to the attackers. The malware never spread beyond the application server where Hurwitz found it. "They [Reduxio] cloned the drives … and set the timestamp two minutes before the infection had started … and remounted the drives," Hurwitz says.

Backing up data regularly and keeping a clean backup has always been one of the key recommendations for surviving a ransomware infection. Even endpoints running the most up-to-date software, email filters, and other security layers can get hit with ransomware: all it takes is for a user to fall for a phishing email and to open a malicious attachment or link.

But how a backup is managed can be the difference between losing data to the attackers unless you pay, or retrieving data and eradicating the ransomware.

Travis Smith, senior security research engineer at Tripwire, says the old 3-2-1 strategy applies: "Always have three copies of data, one that is offsite [or] offline," he says. "What's also very important for companies to adopt in today's ransomware world: we've seen ransomware that targets backup systems, so when you try to bring backups back online you don't have the ability to restore from the backups."

Backups of critical data should be tested at least every six months, he says, to ensure the data is uncorrupted and accessible.

Smith says clean backups work for about three-fourths of ransomware victims. "Seventy-five percent are successful [in ransomware recovery] if they have backups," he says, meaning they can get to their data and not pay any ransom to the bad guys.

Users shouldn't be storing critical data on their endpoints, either, he notes. Stick with a shared server for that information. "So then you only need to back up one critical server," he says. "If a laptop gets infected with ransomware and the data isn't backed up on a centralized server, you've lost that data."

If backups aren't done properly, it may be cheaper for an organization to pay the ransom, which is not recommended. Regular backup tests can drive down the cost of data restoration and make it more cost-effective than having to resort to actually paying a ransom if the data isn't properly backed up, he says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/13/2016 | 3:13:47 PM
Re: SANS Financial Services Industry report
Hi @kblackma: The report hasn't been released yet--SANS has a webcast on it & then will release it on Oct. 19 & 20. Here's a link to their press release about it: https://www.sans.org/press/announcement/2016/10/06/1
kblackma
50%
50%
kblackma,
User Rank: Apprentice
10/13/2016 | 1:27:28 PM
SANS Financial Services Industry report
Can you share the link to the SANS report referenced in the article pls? On Financial Services industry ranking ransomware as the top threat.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7843
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7846
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7847
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
CVE-2019-7848
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7850
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.