At this point, almost everyone has been exposed to the problem of ransomware. Even if not directly impacted you’ve probably heard about it in the news, as an increasing number of banks, hospitals, local governments and other organizations fall victim to costly attacks. This blog series will break down why ransomware is such a problem (with a couple of real-world examples), how it works from a technical standpoint, and how to build a strategy to protect your organization from becoming a victim.
Part 1 of this series will cover:
What is ransomware?
Why is it such a big deal?
Two real world examples of successful ransomware attacks
How to Become a Target The word ‘ransomware’ is one that makes most security professionals groan. It’s a messy, irritating thing that comes back time and time again with a vengeance, causing severe damage and headaches. The goal that management and security professionals alike maintain is as follows: avoid infection, and if ransomware strikes, keep a backup plan.
What is ransomware exactly? For those unfamiliar with the specifics of the term: the security industry defines ransomware as a form of malware that roots itself in a system and quickly encrypts files, rendering them inaccessible to the user. Though ransomware strains may vary, the malware will typically export a decryption key to the attacker, then display a ransom message to the user.
A ransom message shown by victims of the Petya ransomware strain. (Source: MalwareBytes Labs)
The ransomware will then attempt to spread to networked systems, and the action repeats itself. In severe cases, this type of infection can destroy entire companies by cutting off access to necessary information for day-to-day operation.
There are only a few options available when handling an existing ransomware infection. If backups were made beforehand, the company may attempt to recover their data and quarantine the infection. Without backups, some companies may resort to paying the ransom, to which ransomware operators may either decrypt the data or abscond with their payment and leave the company without their paid ransom and their data. Some companies may deem the infection less severe and cut their losses, allowing the ransomware operators to take the pilfered data and auction it to the highest bidder.
No matter what the response, the affected organization is likely to face a long and painful cleanup with high costs.
Why is ransomware such a big deal? Despite (or perhaps due to) the relative simplicity of the concept, ransomware is a booming industry. Ransomware operators can name their price, and so long as that price is payable by the victim, they will have those willing to pay to get their data back. Even those who don’t pay a ransom will have increased the notoriety of the ransomware operator and have offered the operator a way to make money: through sale of pilfered data.
Besides the immediate costs of cleaning up after a large attack (including restoration of backups, post-incident handling, notification to any potentially affected clients, and device quarantine where needed), there are gigantic costs involved in the long-term effects of the attack. In the worst cases, client trust has been broken, sensitive data is permanently lost, and extreme security overhauls are necessary. Ransomware operators see a successful breach as a permanent potential victim, so monitoring services and a heightened security focus become necessary to avoid another attack.
As ransomware grows more common, even organizations that reduce their attack surface can be at risk.
Case Study 1: Evil R Us On Monday September 7th of 2020, a large portion of Chilean citizens found their days at a standstill. Their local bank branches were shut down, and one of Chile’s three largest banks, BancoEstado, was facing a large-scale crisis. Though the bank had done its job in segmenting its network (and therefore avoiding more severe impact), employees found they had no ability to access files necessary to perform their roles.
Some who are experienced with the effects and spread of ransomware may have guessed that this large outage was due to something small, and they would be correct. Through nothing more than a malicious Microsoft Office document received by an employee, a vicious infection ripped through their network and locked down files.
Though we don’t know a lot about what happened to BancoEstado’s files in the end (as the bank did not release an indication of what action they would take upon the ransomware), we can infer. The ransomware that hit the bank is a part of the REvil family, controlled by the ransomware gang of the same name. REvil is now known to have a rather public face, choosing to post sensitive information pilfered from their victims on their website. They hold auctions of this sensitive data, further motivating victims to pay up their ransom.
Judging by the lack of REvil’s response or posting, BancoEstado may have paid their ransom (and act that is looked down upon, as it encourages future attacks on others) or mitigated the effects of the ransomware enough to have only released less valuable data to their attackers. Either way, BancoEstado was one of the lucky ones, losing very little in the long run. Still, they had to shut down many of their operations and were several days behind by the time they were able to fully resume normal services. We won’t know the true costs of this incident because BancoEstado has never released a report, but monetary loss is absolute from this situation.
In March of 2021, Flagstar disclosed its own severe security incident, caused by an attack upon a vendor. Unfortunately, this incident appears to have been worse than originally thought as employee and customer information (including social security numbers, full names, and addresses) may have been accessed. In response, the bank offered free credit monitoring for two years to those affected.
Here, Flagstar was not necessarily the direct cause of the attack, though they did miss a few key points that would have prevented this outcome. The vendor that was used to access Flagstar’s information was a software provider through which Flagstar sent sensitive data. The software was about 20 years old at the time of attack and plans were in place by Flagstar to transition to a newer software solution.
Vendors are difficult to keep track of, but their effect on business can be a large one. With the now famous 2013 Target data breach, a vendor’s account was assigned a higher level of access than it needed to have, giving greater visibility into Target’s network and offering access to the sensitive customer data that would later be stolen. In Flagstar’s case, they may have benefited from a deep dive into the vendor’s security by requesting a penetration test upon the software and reviewing their vendor’s certifications.
As of this writing, Flagstar is still handling the response to this incident via outrage on social media, threats from the ransomware operator, and increased media visibility. Some of the stole data has already been published by the ransomware operator and a ransom has yet to be paid.
Next Up: Discussing Disaster In the follow-up to this topic, we’ll be covering how the average financial industry company can improve their security and form a recovery plan if the worst-case scenario comes to pass.
Coming Up in Part 2: How to Respond to Attack
Among other things, we’ll discuss:
Past cases of ransomware—specifically hitting banks and financial institutions
The dissection an individual ransomware strain with detection and response recommendations at each stage of infection