Paul Prudhomme, Head of Threat Intelligence Advisory at Rapid7
Multiple factors have encouraged the proliferation of ransomware. One factor is the snowball effect, in which successful ransomware attacks fuel more ransomware attacks. Victims who pay ransoms encourage more attacks by demonstrating that ransomware is profitable. Paying ransoms further encourages more attacks by giving attackers more financial resources with which to fund more numerous or ambitious attacks.
The rise of the remote workforce has also created more opportunities for attackers to gain access to targets by targeting the home infrastructure and personal devices of remote employees and compromising remote access services (such as RDP and VPNs) and virtual communication platforms (such as Slack and Zoom). The initial access brokerage market, in which specialised vendors acquire and sell compromised network access to other criminals, has thrived as a result of this transformation. Ransomware attackers are key customers for this market and have thus been able to scale their operations along with it.
Another factor is the ability of ransomware attackers to develop new tactics in response to organisations’ defences in a cat-and-mouse game. For example, many organisations implemented more robust backup systems as a defence against ransomware, so as to relieve the pressure to pay ransoms by maintaining the ability to restore files without paying ransoms. Ransomware attackers adapted to this challenge by adding a second layer of extortion to their attacks, in the form of data disclosures. Threatening to disclose compromised data if a victim refuses to pay the ransom works around organisations’ backup defences, which are useless against the threat of data disclosure.
Russia, Ukraine, and other former Soviet republics have historically provided a safe haven for ransomware operators and many other criminals, as long as they restricted their attacks to targets beyond that region. The Russian invasion in Ukraine has already had a significant impact on ransomware operators in both countries, but the ultimate long-term implications are still to be determined as the war continues. Some implications thus far have included: the damaging leak of internal chat records from the Conti ransomware group, in response to its threat to retaliate for foreign cyberattacks on Russia; financial disruptions to Russian criminals due to the economic isolation of Russia; and disruptions of Internet service and other functional problems for ransomware operators in Ukraine due to war damage.
Can you explain what ‘double extortion’ is and why has it become a popular technique for ransomware gangs?
“Double extortion” refers to the addition of a second layer of data disclosure threats to ransomware attacks, beyond the historic focus on encrypting files and holding them for ransom. A “double extortion” attack involves threatening to disclose compromised data from the network of a ransomware victim if the victim refuses to pay an additional ransom line item for that.
The threat aims to put more pressure on victims to pay more by subjecting them to the risk of additional harm to their business through exposure to fraud or further compromises, legal or regulatory liabilities, damaged reputations, the exposure of intellectual property or other trade secrets. It also aims to maximise profit from ransomware attacks by further monetising an attacker’s access. This tactic emerged in response to organisations’ implementation of more robust backup procedures, which are effective against the file encryption layer of ransomware attacks but useless against the threat of data disclosure.
From the research, customer and patient information was the most frequently leaked data in the financial industry, was this different when compared to other sectors and, if so, why is this the case?
Our research found that customer/patient data was the second-most popular category of files for ransomware attackers to include in data disclosures across all industries, but it was the most popular category for victims in the financial services industry by a very wide margin. Leaking customer/patient data is a popular tactic for use against customers/patients in all industries because it erodes consumer/patient confidence in them and can thus be an effective way for ransomware attackers to hit victims where it hurts – that is why we chose the phrase “pain points” in the research report title.
We believe that this point is even more valid for the financial services industry because they depend even more heavily than other industries on customers’ confidence in their ability to protect their money and their personal information. Ransomware attackers would thus be more likely to leak customer data from a financial services victim because it would put more pressure on the victim to pay.
What can financial organisations do to protect themselves against double extortion attacks and ransomware more broadly?
One of the goals of this report was to enable organisations to identify those “pain points” that ransomware attackers are most likely to target in the data disclosure layer of a ransomware attack. These insights, such as the above-mentioned emphasis on customer data in the financial services industry, can help financial institutions and other organisations identify those assets that ransomware attackers are most likely to target. Organisations can provide those most frequently targeted assets with additional layers of defence.
One additional layer of defence is network segmentation, with the goal of preventing attackers from ever accessing that data in the first place, even if they do gain access to other parts of the network. Another layer of defence is file encryption, so that the files would be useless for the purpose of data disclosure, even if attackers do gain access to them.
Financial institutions can defend themselves against ransomware much like organisations in any other industry. Anti-phishing education can make employees less likely to click on the malicious email attachments and links that often initiate attacks. Spam traps can prevent many malicious messages from ever reaching employees in the first place.
Securing remote access services, such as RDP and VPNs, is a critical defence against ransomware attackers and the initial access brokers that provide many of them with access to compromised networks. RDP services are popular targets for brute force attacks, and should be disabled if not in use. If RDP is in use, the organisation should implement rate limiting and require two-factor authentication, preferably via mobile app rather than SMS. VPN software should receive regular updates to patch it for newly discovered vulnerabilities that attackers can and often do exploit. Accounts on remote communication platforms should have two-factor authentication to prevent attackers from compromising them and using them to expand their access by impersonating legitimate users.
Are there any other cyber threats targeting the finance sector that should be top of mind for businesses?
One of the most severe threats to financial institutions is the risk of large-scale fraud via compromised access to interbank payment systems such as SWIFT. Such attacks in the past have been attributed to state-sponsored North Korean actors, as well as some of the more sophisticated Russian-speaking criminals. Such attacks are less common than other threats but can have more severe consequences when they do happen.
