Ransomware 101 Part 1: A Growing Threat to Financial Services Firms
What is ransomware?
Ransomware is a form of malware, a harmful computer program used by cybercriminals to access sensitive data, encrypt that data, and sometimes exfiltrate that data. Ransomware attackers typically demand monetary compensation in the form of cryptocurrency to (ostensibly) provide the key to decrypt the data and make it usable again, and/or to refrain from publishing the data online.
Ransomware is evolving in sophistication and increasing in frequency, and there seems to be no stopping it. From its humble origins on floppy disks to attacks that take down entire fuel pipelines, from obstruction to encryption to triple extortion, the pain it inflicts keeps getting worse. The ransomware threat continues to expand and everyone is a target.
This blog series addresses multiple aspects of the ransomware issue, including what you should know and what you should do to protect your firm, your clients, and your finances.
- This article describes the evolution of ransomware and describes recent developments. It answers the question, “Why is ransomware a threat to my business?”
- Next, we’ll examine how to prevent and detect ransomware attacks. It will answer the question, “How should we protect ourselves?”
- We’ll explore how to respond after an attack. It will answer the question, “We’ve been hit, what should we do now?”
- Finally, we'll address how to properly engage with the FBI.
A serious and growing problem
Recent reports indicate that 2020 saw a 62% increase in ransomware attacks worldwide, with over 304 million attacks reported. Since the start of the pandemic, ransomware attacks have increased nearly 500%. However, the actual amount may be larger, since companies are not required by law to report ransomware attacks, not to mention many companies may be hesitant to go public.
Alongside the increasing attacks, the average ransom demand has risen as well. 2020 figures estimate an average demand of $170K per incident and a total cost (including recovery) of over $761K. A 43% rise in extortion demands has been reported in the first quarter of 2021, with an average demand of $220K. Some variants (e.g., Maze ransomware) even demand an average of $4.8M per attack. One 2020 attack demanded $30M.
The monetary damage of an attack far exceeds the actual ransom demand. Expenses can include rebuilding systems, restoring data when possible, business downtime, lost orders, not to mention reputational and emotional harm. 2021 figures peg the costs of recovering from an attack at an average of $1.5M, an increase of 100% over 2020. Whether payment is made or not, the cost of recovery averages 10% more than the actual ransomware demand.
While larger companies are frequent targets, smaller companies are on the radar as well. Multiple small and medium businesses have been forced to shut down completely.
As spelled out by the U.S. National Security Council’s top cybersecurity official, "…no company is safe from being targeted by ransomware, regardless of size or location."
Financial services firms in the crosshairs
Ransomware is a serious threat to financial services firms – they are 300% more likely to suffer a cyberattack than firms in other sectors. Investment advisers possess data that is especially attractive to ransomware attackers – think of the all the personal and financial information of clients, trading models and business strategies, as well as portfolio positions to be held for ransom. Not to mention the $4.7 trillion in client assets that investment advisers manage.
Private equity firms stand to suffer a great deal from ransomware attacks, both on the management company and the portfolio company level. Private equity firms have disclosure requirements that make them and their companies easy to find (and to target as being valuable). At the same time, hesitancy to report cybercrime for fear of devaluing acquisitions makes them an even more attractive target.
Ransomware in the regulatory spotlight
Cybersecurity in general and ransomware in particular remain a top concern for both firms and regulators.
Poll figures from ACA's recent spring conference indicate that cybersecurity is clearly on the mind of participants. It’s also on the mind of the SEC, with cybersecurity being a top priority of 2021. Similarly, in an interview with Mike Pappacena of ACA Aponix during the recent ACA conference, Keith Cassidy of the SEC pointed to SEC publications on ransomware and highlighted the urgency of firms developing programming in prevention and response. Similarly, the OCIE and the US Treasury Department have also issued recent alerts and advisories regarding ransomware.
Recent developments in ransomware
The ransomware threat continues to grow beyond just the frequency and cost of attacks. Here are some other ways ransomware continues to evolve.
Criminals are working together
Increasingly, organized groups of criminals are working together on joint ransomware attacks. While the general group of ransomware attackers spans the range of hackers, hacktivists, and hackers from enemy states, dozens of established ransomware gangs are flooding the market with crime and competing for notoriety. Further, recent large-scale ransomware attacks have been attributed to criminal groups that are receiving state sanctioning from Russia and Eastern Europe.
Ransomware has become a commodity
The Ransomware as a Service (RaaS) model features ransomware software ready and available for sale, usually for a share of the ransomware profits. “Network access brokers” offer an additional ransomware service. These criminals gain back-end access to businesses and sell this access to third parties, often with the addition of researched infiltration points. This makes the attack more targeted and typically more damaging.
New attack vectors mean more vulnerabilities
New attack vectors include the use of social media web-based instant message applications, especially for ransomware that encrypts data, as well as the exploitation of vulnerable network devices. Criminals have increasingly targeted corporate networks, focusing on unpatched Fortinet VPN devices, on Microsoft SharePoint servers, QNAP network attached storage devices, and more. At the same time, typical (and continually effective) methods of introducing ransomware such as phishing, targeted phishing, and infected downloads remain popular.
Actual humans are increasingly behind attacks
While often employed by bots or other automated methods, ransomware attacks have increasingly been “human-operated.” Criminals control the attack, and once in, analyze and search for targets in the network, disabling security controls and backups along the way. This adds expertise to the exploits.
The double extortion model has become a favorite criminal tactic, especially against larger targets. This method delivers a “one-two punch:”
- Encrypt files and demand ransom payment to free them, then
- Threaten to publish or auction sensitive data that has been stolen in the attack.
This method pummels victims from two angles and knocks out the effectiveness of backups (even if you restore your files, your data will be exposed). Criminals have further used a “drip” method, periodically leaking small amounts of data to prove they have it exfiltrated and that the target will suffer further exposure unless the ransom is paid.
Recent reports point to an additional punch. In the triple extortion model, criminals use the above encryption and data exposure threat, then add a third threat:
Reach out and threaten victims whose data would be exposed, then:
- Demand they push the company to pay the ransom, and
- Demand they too pay the ransom
Calls for a unified response are growing. Ransomware is increasingly an issue of national and international concern. Recent attacks have hobbled pipelines, food producers, hospitals, schools, and governments.
The White House has explicitly demanded that organizations of all sizes who interact with the government have ransomware (and other cybersecurity) protections in place. Similarly, the White House has gotten the message out that shoring up against ransomware is highly advised for all businesses on all levels.
There is some movement on having a unified, coordinated, public-private response to ransomware. The Institute for Security and Technology’s Ransomware Task Force includes membership from the FBI, Microsoft, Cisco, Amazon Web Services, the Department of Homeland Security, the U.K.’s National Crime agency and others. Their plans for a unified approach to combatting ransomware are ambitious, but still in the development stage.
- Know that you are not immune. Everyone is a target for ransomware, and RIAS and portfolio companies of PE firms are especially in the cross hairs.
- Learn more about ransomware costs, prevention, and response.
- If you have not done so already, prepare a plan to protect against ransomware and react to ransomware attacks
Download the 2022 Ransomeware white paper
Download our cybersecurity checklist
Use this checklist to make sure you are taking all the necessary actions to protect your company. Take advantage of this checklist as a discussion guide for your next conversation with your MSP/key IT services providers.
Read the series
Click here for Ransomware 101 Part 3: How to Respond to a Ransomware Attack.
How we help
ACA Aponix® can help your firm build a stronger cybersecurity program to protect against evolving ransomware attacks and other cyber threats. We offer a range of services, including:
- Risk assessments and compliance readiness
- Threat intelligence, phishing testing, and monitoring
- Cybersecurity awareness training for staff
- Portfolio company risk management (PortCo Defend™)
- Operational resilience and governance
- and more
If you have any questions, please contact your ACA Aponix consultant or contact us here.