Financial Institutions Should Ensure that Ransomware Attack is Included in Incident Response Plans

The ransomware problem just seems to be getting worse and worse. A recent study showed that ransomware increased from 39% to 51% just from Q2 to Q3 this year. This was record growth, and put ransomware attacks as one of the top threat vectors out there. But we have noticed that many organizations, including financial institutions such as wealth management firms and credit unions, have yet to include ransomware attack as a specific threat vector in their incident response plans. Because of this, we recommend that financial institutions should conduct a specific ransomware risk assessment to determine how this threat could impact them, and to examine the probable effectiveness of the security controls they currently have in place in ameliorating it.

When conducting such risk assessments, the organization should start with threats and threat vectors. For ransomware, the primary threat vectors according to CIS include:

  • Malicious attachments or links sent in email messages.
  • Network intrusion through poorly security ports and services, notably Remote Desktop Protocol (RDP) and Server Message Block (SMB).
  • Dropped by other malware infections such as an initial TrickBot infection leading to Ryuk ransomware attack.
  • Wormable and other forms of ransomware that exploit network vulnerabilities such as WannaCry.
  • Employing compromised managed service providers to push ransomware to multiple entities.

In addition, attackers have been employing legitimate pen test and network administration tools as a part of their attacks. These tools can be used to help minimize detection and maximize the impact of attacks. Use of these tools as attack mechanisms is increasing the scope of attacks possible to cyber criminals. Just this week there was a report of a massive fraud operation using emulators that allowed attackers to steal millions of dollars from online banking accounts. Emulators are tools used by legitimate developers and researchers to test how apps run on mobile devices. Using these, criminals were able to spoof many thousands of accounts in a very short time, leading to massive illicit profits.

The next step in the risk assessment process is to examine your business processes and security controls to see where vulnerabilities that could be exploited by attackers to promulgate ransomware may lie. In other words, the organization should list the threat vectors (such as those listed above), and determine for each where the organization’s own systems may be vulnerable and what can be done about it if they are. Once that list is complete, the organization can decide if and how they are going to implement these needed controls.

One of the controls that is sure to arise from this process is proper incident response planning. Incorporating the results of your risk assessment can greatly enhance the organization’s ability to effectively detect and respond to ransomware attacks. Knowledge of how ransomware is going to come at you and the proper way to react to it is invaluable! And, as with any good incident response program, ransomware attacks should be included in incident response practice exercises. Lessons learned from these exercises will help to prevent chaos in the event of an actual ransomware attack against your organization.