With the rise of ransomware globally, every organization has been feeling the pressure; but fewer have felt the pain quite like financial institutions and financial service providers. With the emergence of ransomware-for-hire and the global proliferation of ransomware like LockBit 2.0, financial services need to be more alert than ever. According to Sophos, 34% of financial services that were surveyed indicated that they had been hit by Ransomware in 2020, and 51% of those attacks succeeded in encrypting organizational data. These attacks are not solely the concern of financial service organizations; however, the financial service market must be particularly vigilant because of the assets under their management and the sensitivity of the data they are charged with protecting.
Over the last year, security researchers have found that ransomware attacks have increased by over 150% and resulted in a string of high-profile attacks against government agencies, critical infrastructure, and private businesses. The research also indicates that there has also been a drastic increase in the average ransomware payment by victims, to the tune of a 290% increase, according to a report published by the Howden Group. This means that we are seeing both a rise in frequency as well as the severity of ransomware attacks on consumers, businesses, and public entities alike. Accordingly, Sophos has identified that the average recovery cost from a ransomware attack this year in the financial services industry was $2.1 million; almost $300,000 more than the national average. While Sophos attributes this increased cost to the increased cost of data recovery measures employed by financial services, the report isn’t all bad. Sophos also found that the financial services sector may be better equipped to handle successful ransomware attacks, as only 25% paid the ransom as opposed to the national average of 32%.
Additionally, Sophos found that 8% of successful ransomware attacks were focused on extortion rather than direct ransom, with threats of publication of hijacked data rather than data destruction. This was seen in the recent Bangkok Air ransomware attack, when LockBit 2.0 stole and published over 100TB of data, and points to a shift in tactics depending on the target. With ransomware attacks transforming into extortion attacks, threat actors are increasingly deploying targeted attack models based on organized data analysis of their targets. This also tracks with the rise of state-sponsored APT threats over the years, as they have the resources to accurately create threat-model their targets.
Beyond the direct costs of mediating a ransomware attack, financial services can suffer severe reputational losses that could harm the business in the long term. When dealing with financial transactions and handling client assets, having a stellar reputation of client confidentiality and data integrity is absolutely critical; otherwise, nobody would trust you with their assets. We’ve written previously about how seriously financial services take cybersecurity, since 70% of bank supervisors ranked cybersecurity as their top concern. Loss of client confidence in a financial institution can severely impact future revenues as new, or existing, clients chose to take their business elsewhere. In the United Kingdom, the telecommunications firm TalkTalk lost the personal details of over 150,000 customers, and Aon tracked that they had lost over 100,000 customers and a third of their stock value in the following year. Yet, TalkTalk wasn’t even a financial firm; consumers are even less likely to continue using a financial service that has suffered data breaches in the past.
While the world comes to terms with the modern reality of the risks posed by ransomware, financial services companies need to be ahead of the game in their preparations. Given the immense responsibility of the data they safeguard, they are prime targets for extortion and ransomware. These risks can be mitigated with a strong ransomware recovery plan, a continuous monitoring program that gives visibility on critical assets, fastidious backup solutions, and proper infrastructure segmentation to limit the spread if a machine is infected. With the right processes and tools in place you can stop ransomware in its tracks before it gets a foothold in your organization. Good cyber hygiene isn’t about the number of tools in your stack or the size of your budget, it’s about ensuring that the on-the-ground cybersecurity performance is where it needs to be. Even then, the risk is still ever present, but with the right procedures in place the consequences can be severely limited.