Given its heavy reliance on technology for all aspects of operation, it’s no surprise that the Australian financial industry is increasingly being targeted by the ransomware hackers. While there can be a strong temptation to simply pay the ransom and retrieve the locked documents, it’s important for financial services organisations to realise that paying the ransom could do more harm than good, according to Palo Alto Networks.
Sean Duca, Vice President & Regional Chief Security Officer (CSO), Asia Pacific, Palo Alto Networks said, “Ransomware is a type of malware that, once activated, locks key documents so they can no longer be accessed unless the victim pays a ransom. The ransom itself is usually carefully set to be affordable for the victim, making it look like paying up is, in the long run, a reasonable option.
“However, victims who pay the first time only encourage attackers to hit them again, since they have proven themselves willing to pay. Furthermore, these hackers can often sell the data they’ve encrypted, so simply paying to regain access to the documents doesn’t completely mitigate the problem.
“Ultimately, the decision to pay may boil down to a business decision over the time and effort required to restore files from back-ups versus the cost of the ransom to obtain the decryption key from the attacker.”
In mid-2014, a U.S. brokerage house fell victim to CryptoWall, which both encrypted and exfiltrated data from that institution. Research by Unit 42, the Palo Alto Networks threat intelligence team, put CryptoWall in the top three industry threats in both 2014 and 2015, so it’s clear that the financial services industry needs to be prepared to address such malicious attacks.
Palo Alto Networks advises there are seven key ways to protect financial institutions from ransomware:
1) Conduct regular back-ups of data on PCs, shared drives and any other storage systems.
2) Verify the data on the back-up system to ensure there are no surprises when restorations are warranted. This should already be a recurring practice as part of business continuity plans, but it’s worthwhile to validate this, since viable back-ups are integral to any ransomware remediation actions.
3) Scan and block suspicious files (e.g., portable executables) in all inbound email or web-browsing sessions.
4) Prevent the ingress of malware by using intrusion prevention systems (IPS) for known threats and sandbox analysis for zero-day threats.
5) Block outbound traffic to malicious URLs or sites, which may be part of the attack lifecycle for ransomware.
6) Prevent exploits and malware execution on PCs and servers with endpoint protection capabilities above and beyond anti-virus and host IPS.
7) Contain any threats by segmenting the internal network to limit lateral movement and to minimise the fault domain.
Sean Duca said, “It’s important to know that a ransomware attack is the canary in the coalmine: it’s a warning sign that your security is not up to scratch. It’s crucial to react quickly and calmly to ensure another attack doesn’t occur. Simply paying the ransom will not be the end of the attack, so revert to backed-up information and tighten your security immediately.”