Blog | March 11, 2022 | 8 min read 4 Ways to Protect Your Institution from Ransomware TwitterFacebookLinkedInEmailMessengerIt’s no secret that ransomware attacks are not slowing down anytime soon. In 2021, headline after headline called out organizations—including financial institutions—that suffered the consequences of an attack. As these attacks continue, what can your institution do to mitigate risk? Before we address that question, let’s review the basics of ransomware and the threats posed to financial institutions. Why Do Ransomware Attacks Keep Happening? The shift to remote work, supply chain issues, greater reliance on digital channels and increased turnover and open positions in a variety of industries—financial services included—have generated an environment ripe for vulnerabilities. Due to these factors, many institutions have greatly increased their systems’ surface area. There are now multiple points of entry into a network and increased complexity of system operations, including remote endpoints and cloud-based systems. Cybercriminals are exploiting these weaknesses to launch sophisticated attacks. Since ransomware attacks pose little risk to the hacker, provide a quick payout for criminals and are carried out relatively easily and anonymously, institutions should remain on high alert to identify and combat these threats. Want to learn more about strengthening your defenses against ransomware and other cyber threats? Download our white paper, A Guide to Strengthening Your Institution’s Cybersecurity Posture. How Does Ransomware Work? Ransomware is a type of malware that, once installed, locks out the authorized user and encrypts the available data to hold for ransom. In most cases, the perpetrator of the ransomware attack exfiltrates the data, with or without the institution’s knowledge. If the organization refuses to pay, the criminal will likely leave the data encrypted and unusable. But they could also delete or expose the hijacked data. Even if the ransom is paid or an institution has up-to-date backups to restore the data without paying, the cybercriminal can leak the data on the dark web. Ransomware locks out the user from the system and encrypts the available data to hold for ransom. If the victim refuses to pay the ransom, the criminal leaves the data encrypted and unusable. Since financial institutions hold vast amounts of valuable customer or member data, they are an attractive target for ransomware. And as technology advances, ransomware will continue to increase in complexity. The availability and automated nature of modern ransomware allow an attack to be initiated with limited upfront costs and maintenance from criminals. According to Forbes, “a growing number of organizations, such as DarkSide, REvil and others, franchise their ransomware-as-a-service (RaaS) capabilities to attackers.” This model lowers the barrier to entry, making it easier than ever to put ransomware into the hands of opportunistic cybercriminals. How Do Ransomware Attacks Happen? While ransomware attacks occur in a variety of ways, let’s go through a scenario in which an attack is perpetrated through a phishing email. Picture it: During a busy Monday morning at your bank or credit union, an email carrying ransomware makes it past your spam filter and lands in the inbox of one of your employees in accounting. This email is designed to look like a legitimate invoice request; the polished email contains no spelling or grammatical errors. Since the attachment file is labeled as an invoice, your employee opens it—not suspecting that a cybercriminal could be targeting your community financial institution. Even a seemingly innocent email can carry ransomware. Users must be cautious about opening unrecognized attachments or risk infecting not only their own computer, but the entire network. Within seconds, the computer freezes and a ransom demand for thousands of dollars blocks all activity. If the employee who opened the malicious attachment has broad administrative privileges, there is a high likelihood the attack will quickly spread through the network, freezing all computers and making the same ransom demand. Now your institution must confront the operational and reputational risks of this attack. Ransomware can be crippling for institutions, especially if regular data backups are not maintained and security patches not expediently implemented. How to Detect a Ransomware Attack Deploying cybersecurity tools that monitor your entire IT environment and deliver real-time alerts is one of the best strategies to detect ransomware and other types of malware. Limited network security visibility is a huge vulnerability for many institutions. If you’re only seeing a slice of the activity in your IT environment and not the environment in its entirety, you cannot react to all suspicious behavior. While perimeters are usually secure and servers have controls in place to ensure protections, many large-scale breaches result from user actions on endpoints, as they often do not have the same level of protections. Endpoints are usually the least secure, which is why implementing an endpoint detection and response (EDR) solution will enable your institution to enhance defenses while gaining visibility on an otherwise overlooked area of your IT environment. There are also regulatory requirements associated with network visibility, as regulators want to know that your institution has a holistic view. Your institution should also archive data in case a potentially malicious incident isn’t detected until months later. That way, your institution can go back and inspect past data to see if or how you were affected. How to Protect Against Ransomware Attacks With the risk of ransomware growing, it is imperative that your institution enhance its defenses. Below are best practices that will allow your institution to fend off ransomware attacks with greater effectiveness. 1. Security and Event Information Management-as-a-Service (SIEMaaS) collects and reviews event logs for connected devices across a technology environment, such as firewalls, anti-virus solutions or endpoints, and alerts your institution to potential threats in real-time. With SIEMaaS, an organization collects all event logs and sends them over a secure connection to an outsourced SIEM. This SIEM then produces alerts that are directed back to the internal IT team or to an outsourced SOC for investigation and review. SIEMaaS reduces the time burden on your internal IT team and turns the cost into an ongoing operational expense rather than a large upfront investment. This service also allows your institution to achieve a holistic view of your environment, as it collects logs from disparate sources. 2. Endpoint detection and response (EDR) solutions prevent breaches and block ransomware at the point of entry by rapidly identifying, containing and mitigating threats. Attackers purposefully target the weakest link in a network with the fewest security protections, which is often endpoints. It’s common for attackers to leverage zero-day exploits—which are vulnerabilities with no available patches—in efforts to inject malware into a system, but EDR protects against this type of patching vulnerability. EDR solutions build models around how the endpoints typically operate and look for applications behaving in a way they haven’t before. If there is a deviation in behavior, the solution shuts down the endpoint. In other words: If an EDR solution detected a malware attack, the tool would identify the anomalous behavior using behavioral analysis, isolate and block the attack. By monitoring endpoints, EDR solutions produce event logs that can be correlated and fed into a SIEM. This offers additional insight into threats and demonstrates how a layered approach helps your institution achieve a more holistic view of your IT environment and a stronger cybersecurity posture. 3. Establishing a culture of cybersecurity will help keep employees on guard against prevalent social engineering schemes that could lead to a ransomware attack. At some point, a ransomware attack encounters a person who falls for the ruse and allows the ransomware into their system. Training your staff—especially customer service staff who are often highly targeted—should be a top priority. Continuous cybersecurity training and awareness campaigns will reduce the likelihood of employees inadvertently aiding a breach. There is a tendency to think of cybersecurity as a strictly IT issue, but the reality is that cybersecurity is a business issue. If a ransomware attack hijacks your entire system, the effects extend far beyond the IT department. While the IT staff will be on the front lines of getting your systems back up and running, every other department will be potentially affected, and your institution will face reputational and financial risk. Internal cybersecurity training should present the issue in that context to everyone from board members to employees. Informed users are your institution’s first line of defense against cyberattack. Continuous cybersecurity training is the key to a secure network. 4. Multi-factor authentication (MFA) provides an extra layer of defense to user accounts. Several prevalent ransomware attacks in 2021 began as incidents of account compromise. With MFA, multiple authentication factors are required to verify a user’s identity—and this goes beyond double passwords. When any administrative user logs in to access network resources, the user will be prompted through an MFA process. Authentication factors include tokens, phone calls and biometrics. By implementing MFA, your institution will strengthen resiliency and prevent cybercriminals from gaining account access through passwords alone. Further, MFA is now a common regulatory requirement and necessary to obtain cybersecurity insurance. Institutions are expected to provide authentication for specific areas of the network, including network administrators, network devices and VPN users. Many institutions view MFA as burdensome since employees must take an extra step to gain access to their accounts. But from a security perspective, MFA is the best way to guard against account takeover. In the event a ransomware attack is successful and starts to spread into other areas of the network, your institution can control access with this important security control. While MFA on its own won’t eliminate risk of ransomware, it is an important layer of defense and will mitigate risk when combined with other layers of security. Enhancing Ransomware Protection with a Layered Approach to Cybersecurity When it comes to defending against ransomware, there is no silver bullet. Instead, embracing multiple layers of security will enhance protections across the network and prevent your institution from making headlines because of a catastrophic attack. The more security layers you have in place, the harder it is for cybercriminals to successfully infiltrate your systems. Learn more about enhancing your defenses against prevalent cyber threats with a layered approach to cybersecurity by downloading our white paper, A Guide to Strengthening Your Institution’s Cybersecurity Posture. DOWNLOAD THE WHITE PAPER Sean Martin is director of Product Strategy, CSI Business Solutions Group for Managed Services. He has worked to establish cybersecurity programs for financial institutions for over 15 years. Previously, Sean served as Network and Security Operations Manager, Product Manager, and in various engineering roles since 2001. In his role, Sean identifies and implements solutions designed to maximize security and profitability for financial institutions. Sean speaks regularly on a variety of financial technology issues, ranging from managed services to IT security best practices.