WannaCry Ransomware Attack Signals Major Red Flag for Financial Institutions
Up until May 12, 2017, ransomware had not gained the same type of notoriety as other types of cyberattacks, despite repeated public warnings from cybersecurity experts about its growing proliferation. That changed when Europol estimated that 200,000 computers, in more than 150 countries, had been infected with ransomware known as WannaCry. Now, everyone with a news feed has absorbed the unsettling details of the WannaCry ransomware attack, including its crippling grasp on Britain’s hospitals.
Compared to other countries, the United States was relatively spared. However, that should not provide comfort. Our nation’s vital infrastructure, which includes the financial services sector, is still at risk for ransomware attacks and should be on high alert. The final tally earned through WannaCry will surely motivate its originators and other cybercriminals to attack again. As will the recent development in this cyber threat, Ransomware-as-a-Service (RaaS), which Forbes Technology Counsel warns has “lowered the barrier to entry and put ransomware in the hands of a wider swath of cybercriminals.”
Financial institutions must start taking ransomware seriously. To understand the urgency, let’s go inside the machinations of a ransomware attack. While not based on actual events, this true-to-life depiction is real in character, scene and plot.
Meet the Characters
Cybercriminal Organization: Despite its unfamiliar darknet milieu, its well-oiled structure is quite similar to the classic mafia framework. It develops its own RaaS plot and recruits soldiers with little to no technical skill—but plenty of motivation to make money through deception and intimidation. They attack a bank or credit union using the organization’s RaaS. The organization takes its cut, while keeping a safe distance from the actual scene of the crime.
Lowly Hack: This cybercriminal wannabe, who up to now has been limited by his lack of technical expertise, answers the recruitment call.
Bank One: The board heeded the FBI’s ransomware alert from April 29, 2016, and charged its CIO with developing a plan to mitigate this risk and authorized the budget to implement it. The resulting multi-layered security approach provided prevention, detection and recovery practices in the following areas:
- Continuous user education and awareness training
- Advanced technology such as an up-to-date email filtering system, an intrusion prevention system, regular social engineering and penetration testing, and an end-point protection system
- Stronger system infrastructure to ensure that security rights and privileges are properly assigned and monitored, all security and operating software is kept updated with available patches, a strong password policy is enforced, and networks are carefully segmented
- Detailed response and recovery plans that ensure a quick reaction to any detection and quick recovery of operations and data
- Cloud-based data backup services to further ensure the recovery of lost data
Bank Two: With a board that understands the ransomware threat but has directed the CIO to manage with minimal budget increases, investments in the latest technology are out of reach. Instead, IT staff focuses its limited resources on system infrastructure prevention areas (password protection, privileges and rights monitoring, and network segmenting). It also conducts a semi-annual employee awareness campaign.
Bank Three: Using its limited IT resources for system implementation projects and general cybersecurity protections, it has not tackled the ransomware threat on any real level.
Hear Their Stories as a Ransomware Attack Unfolds
After a day of gaming, Lowly Hack decides to look for a job as funds are running low. Without any real skills or desire to get off the couch, he turns to options on the darknet, where he finds Criminal Organization’s RaaS. After paying a small fee, he gains unlimited access to a customizable ransomware kit. Lowly Hack will maintain 80 percent of his ransoms in untraceable cryptocurrency collected automatically through the RaaS website, while Criminal Organization will keep the remaining 20 percent.
Emboldened by the ease of his initial consumer attacks that earned him $800 a pop (less than cybersecurity firm Symantec’s reported 2016 average of $1,077, but more than he’s ever made hacking), he turns his attention to bigger fish with more at stake and more money to pay: banks that he suspects have limited cybersecurity budgets or adequate defenses. Using spam email distributed via the RaaS’ botnets, a vast array of compromised computers, Lowly Hack launches his first commercial ransomware attack.
Bank One Remains Vigilant
Bank One’s email filtering system detects and thwarts the majority of the malicious spam emails sent by Lowly Hack, but since no prevention technique is 100 percent failsafe on its own, one ransomware-carrying email lands in the inbox of Jane in accounts payable. Even though the email is designed to look like a legitimate request for payment, Jane is cautious because she’s learned through corporate training that the word “Invoice” is often used in the subject line of malicious emails. Prior to opening the attached “invoice,” Jane conducts some simple due diligence and determines this is a suspicious email. She alerts IT, which further analyzes the email and confirms her suspicions.
As it does after any attempted cyberattack, Bank One conducts the following post-mortem:
- Adds this example to its ongoing user awareness campaign, along with a reminder about the importance of following Bank One’s password policy
- Shares details of the attack with the Financial Services Information Sharing and Analysis Center (FS-ISAC), of which the bank is a member
- Analyzes the current state of all prevention systems, security and operating software vulnerabilities, admin rights and privileges, and network segmentation
- Reviews its response and recovery plans to ensure their effectiveness in the event of a more successful attack
- Decides to implement application whitelisting, which goes a step beyond the standard blacklisting of certain applications and specifies “an index of approved software applications that are permitted to be present and active on a computer system”
Bank Two Learns a Lesson
Without an email filtering system, the malicious email easily makes its way to multiple persons within Bank Two. Its semi-annual awareness campaign helped the majority of recipients recognize the danger. However, John the teller and Susan in loan origination do not. Both open the email, click on the Microsoft Word attachment and allow the macro to run. Within seconds, their computers freeze, each with a ransom demand for $8,000 that blocks all activity. Fortunately, John has limited admin privileges, confining the attack to his computer. Because Susan has broader admin privileges, the attack spreads through her network segment freezing all computers on it and making the same ransom demand on each.
Bank Two does not pay the ransom because its damages are limited by two factors: First, its network segmentation did not allow the attack to go beyond John’s computer or Susan’s network segment. Second, the attack did not extend to the server housing its backup data, allowing Bank Two to recover the data lost via the unpaid ransom and resume all operations. Even though the bank was able to avoid paying the ransom, it still spent a considerable amount of time, effort and resources recovering the data and getting back to a normal state of operations.
The board realizes it narrowly dodged a bullet and allocates additional funding to thwart a more costly attack in the future. In addition to the inexpensive steps of beefing up the content and frequency of employee training, tightening up admin privileges and disabling Office macros, Bank Two invests in the following systems: email filtering, intrusion prevention, end-point protection and cloud-based backups.
Game Over, Bank Three
Meanwhile, Bank Three is dealing with a near catastrophe. Several employees fall prey to the malicious email, and because of liberal admin rights and non-segmented networks, the ransomware quickly spreads through the bank’s entire network—completely shutting it down. Because the bank has no real response or recovery plan in place, its customers are unable to bank as branches, call centers, ATMs and mobile and online banking are inoperable for several days.
Fearing the spiraling cost of downtime, the board pays a $20,000 ransom, which actually pales in comparison to the cost of the public relations campaign it needs to win back customer and shareholder trust. Not to mention having to make after-the-fact investments in desperately needed prevention, detection and recovery tools and tactics.
Lowly Hack cashes in his $16,000 in Bitcoin, while Cybercriminal Organization pockets $4,000 for really no involvement at all. Not a bad payday for a couch potato or illicit organization.
Avoid a Day of Cybercrime Infamy
The number of villains capable of bringing financial institutions to their knees with ransomware is growing at an alarming rate. Symantec’s 2017 Internet Security Threat Report warns that, “the perfection of the ransomware business model has created a gold-rush mentality among attackers, as growing numbers seek to cash in.”
Follow the lead of our fictional Bank One by taking control of your institution’s fate with a multi-layered approach to ransomware prevention, detection and recovery. Otherwise, like Bank Three, you risk establishing your own costly day in cybercrime infamy.
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With more than 15 years of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations.