At this point, almost everyone has been exposed to the problem of ransomware. Even if not directly impacted you’ve probably heard about it in the news, as an increasing number of banks, hospitals, local governments and other organizations fall victim to costly attacks. This blog series will break down why ransomware is such a problem (with a couple of real-world examples), how it works from a technical standpoint, and how to build a strategy to protect your organization from becoming a victim.

Part 1 of this series will cover:

  1. What is ransomware?
  2. Why is it such a big deal?
  3. Two real world examples of successful ransomware attacks

How to Become a Target
The word ‘ransomware’ is one that makes most security professionals groan. It’s a messy, irritating thing that comes back time and time again with a vengeance, causing severe damage and headaches. The goal that management and security professionals alike maintain is as follows: avoid infection, and if ransomware strikes, keep a backup plan.

What is ransomware exactly?
For those unfamiliar with the specifics of the term: the security industry defines ransomware as a form of malware that roots itself in a system and quickly encrypts files, rendering them inaccessible to the user. Though ransomware strains may vary, the malware will typically export a decryption key to the attacker, then display a ransom message to the user.

img-blog-041921-fig1

A ransom message shown by victims of the Petya ransomware strain.
(Source: MalwareBytes Labs)

The ransomware will then attempt to spread to networked systems, and the action repeats itself. In severe cases, this type of infection can destroy entire companies by cutting off access to necessary information for day-to-day operation.

There are only a few options available when handling an existing ransomware infection. If backups were made beforehand, the company may attempt to recover their data and quarantine the infection. Without backups, some companies may resort to paying the ransom, to which ransomware operators may either decrypt the data or abscond with their payment and leave the company without their paid ransom and their data. Some companies may deem the infection less severe and cut their losses, allowing the ransomware operators to take the pilfered data and auction it to the highest bidder.

No matter what the response, the affected organization is likely to face a long and painful cleanup with high costs.

Why is ransomware such a big deal?
Despite (or perhaps due to) the relative simplicity of the concept, ransomware is a booming industry. Ransomware operators can name their price, and so long as that price is payable by the victim, they will have those willing to pay to get their data back. Even those who don’t pay a ransom will have increased the notoriety of the ransomware operator and have offered the operator a way to make money: through sale of pilfered data.

Besides the immediate costs of cleaning up after a large attack (including restoration of backups, post-incident handling, notification to any potentially affected clients, and device quarantine where needed), there are gigantic costs involved in the long-term effects of the attack. In the worst cases, client trust has been broken, sensitive data is permanently lost, and extreme security overhauls are necessary. Ransomware operators see a successful breach as a permanent potential victim, so monitoring services and a heightened security focus become necessary to avoid another attack.

As ransomware grows more common, even organizations that reduce their attack surface can be at risk.

Case Study 1: Evil R Us
On Monday September 7th of 2020, a large portion of Chilean citizens found their days at a standstill. Their local bank branches were shut down, and one of Chile’s three largest banks, BancoEstado, was facing a large-scale crisis. Though the bank had done its job in segmenting its network (and therefore avoiding more severe impact), employees found they had no ability to access files necessary to perform their roles.

Some who are experienced with the effects and spread of ransomware may have guessed that this large outage was due to something small, and they would be correct. Through nothing more than a malicious Microsoft Office document received by an employee, a vicious infection ripped through their network and locked down files.

Though we don’t know a lot about what happened to BancoEstado’s files in the end (as the bank did not release an indication of what action they would take upon the ransomware), we can infer. The ransomware that hit the bank is a part of the REvil family, controlled by the ransomware gang of the same name. REvil is now known to have a rather public face, choosing to post sensitive information pilfered from their victims on their website. They hold auctions of this sensitive data, further motivating victims to pay up their ransom.

Judging by the lack of REvil’s response or posting, BancoEstado may have paid their ransom (and act that is looked down upon, as it encourages future attacks on others) or mitigated the effects of the ransomware enough to have only released less valuable data to their attackers. Either way, BancoEstado was one of the lucky ones, losing very little in the long run. Still, they had to shut down many of their operations and were several days behind by the time they were able to fully resume normal services. We won’t know the true costs of this incident because BancoEstado has never released a report, but monetary loss is absolute from this situation.

Case Study 2: Flagged for Attack
By total assets, Flagstar Bank is one of the largest banks in the United States. They enjoy the advantages of being one of the largest mortgage servicers and have a large loyal customer base.

In March of 2021, Flagstar disclosed its own severe security incident, caused by an attack upon a vendor. Unfortunately, this incident appears to have been worse than originally thought as employee and customer information (including social security numbers, full names, and addresses) may have been accessed. In response, the bank offered free credit monitoring for two years to those affected.

Here, Flagstar was not necessarily the direct cause of the attack, though they did miss a few key points that would have prevented this outcome. The vendor that was used to access Flagstar’s information was a software provider through which Flagstar sent sensitive data. The software was about 20 years old at the time of attack and plans were in place by Flagstar to transition to a newer software solution.

Vendors are difficult to keep track of, but their effect on business can be a large one. With the now famous 2013 Target data breach, a vendor’s account was assigned a higher level of access than it needed to have, giving greater visibility into Target’s network and offering access to the sensitive customer data that would later be stolen. In Flagstar’s case, they may have benefited from a deep dive into the vendor’s security by requesting a penetration test upon the software and reviewing their vendor’s certifications.

As of this writing, Flagstar is still handling the response to this incident via outrage on social media, threats from the ransomware operator, and increased media visibility. Some of the stole data has already been published by the ransomware operator and a ransom has yet to be paid.

Next Up: Discussing Disaster
In the follow-up to this topic, we’ll be covering how the average financial industry company can improve their security and form a recovery plan if the worst-case scenario comes to pass.

Coming Up in Part 2: How to Respond to Attack

Among other things, we’ll discuss:

  • Past cases of ransomware—specifically hitting banks and financial institutions
  • The dissection an individual ransomware strain with detection and response recommendations at each stage of infection
  • Quick coverage on the roadmap of an infection


Blog

Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More