By Gregg Petersen, Regional Vice President, Middle East & Africa at Veeam Software
After becoming one of the main cybersecurity threats in 2016 and causing global chaos in May 2017, ransomware is currently keeping everyone in a state of constant security alert. Financial organizations are particularly at risk, targeted by approximately 13% of total attacks. Ransomware was actually reported as the number one vector of security risk in the financial sector in the 2016 SANS Survey, reported by 55% of the financial services firms surveyed. The outcomes of these attacks can be highly damaging. Hackers successfully extorted a total of up to half a billion dollars from more than 32% of financial institutions in 2016 alone.
How ransomware impacts the financial services industry
Despite the increasing number of attacks on financial institutions, public announcements of ransomware infections are rarely made due to the grave brand integrity and consumer confidence consequences. However, numerous attacks were reported in the last few years. Armada Collective attacked three Greek banks, encrypting valuable data and asking for €7 million (20,000 Bitcoin) from each bank, followed by three other attacks in a span of five days. Fortunately, these attempts failed, as the banks successfully leveraged their defense strategies instead of paying the ransom.
A 2016 report by SentinelOne on ransomware highlighted that the most vulnerable data for ransomware attacks are employee records, financial data, customer information, product & IP, payroll / HR and research.
Ransomware’s notoriety is not a surprise, considering its ability to evolve and surpass traditional data protection solutions. Beyond the use of sophisticated attack techniques, such as social engineering and the development of Ransomware as a Service platforms, ransomware has been driven by certain key factors, such as security holes, lack of IT security knowledge, wrong permissions, lack of patching, and inadequate backup and recovery processes. Finally, the appearance of anonymous e-currency as a payment method as well as the decision to pay the ransom contribute greatly to encouraging cybercriminals’ future attempts.
Keeping up with compliance and Availability challenges
In this threat landscape, stringent regulations, such as PCI, DSS, GLBA or GDPR and data breach notification requirements, legally require financial institutions to properly store and protect customer data along with other highly sensitive data. As they gain more users, adopt new technologies and face data upsurges, modern IT ecosystems must maintain the ability to collect, maintain and store data in changing environments.
7 best practices for ransomware resilience in financial services
- Use different credentials for backup storage: Although this is a standard and well-known anti-ransomware best practice, it’s crucial to follow. The username context that is used to access backup storage should be closely guarded and exclusive for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations. Do not use DOMAIN / Administrator for everything.
- Start using the 3-2-1 Rule: Veeam promotes the 3-2-1 Rule often and for good reason. It essentially states to have three different copies of your media on two different media sites, one of which is off site. This will help address any failure scenario without requiring specific technology. Moreover, to effectively prepare in the advent of a ransomware attack, you should ensure that one of the copies is air-gapped, i.e., on offline media. The offline storage options listed below highlight many options where you can implement an offline or semi-offline copy of the data.
- Have offline storage as part of the Availability strategy: One of the best defenses against propagation of ransomware encryption to the backup storage is to maintain offline storage. There are numerous offline (and semi-offline) storage options. These include:
- Tape: Completely offline when not being written or read from
- Storage snapshots of primary storage: A semi-offline technique for primary storage, but if the storage device holding backup supports this capability, it is worth leveraging to prevent ransomware attacks. It is important to consider that this strategy is not entirely failsafe and must be taken as only one of the key steps needed in ensuring ransomware preparedness
- Cloud: A great additional resource for resiliency against ransomware. For one, it’s a different file system, and secondly, it is authenticated differently.
- Rotating hard drives (rotating media): Offline when not being written to or read from
- Leverage different file systems for backup storage: Having different protocols involved can be another way to prepare for a ransomware attack. It’s imperative that users add backups on storage that require different authentication.
- Achieve complete visibility of your IT infrastructure: One of the biggest fears of ransomware is the possibility that it may propagate to other systems. Gaining visibility into potential activity is a massive value-add. An Availability solution should have a pre-defined alarm that will trigger if there are a lot of writes and high processor utilization, which is a typical ransomware pattern.
- Let the Backup Copy Job do the work for you: The Backup Copy Job is a great mechanism to have in order to create restore points on different storage and with different retention rules than the regular backup job. When the previous points are incorporated, the Backup Copy Job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job. However, with the Backup Copy Job being a VBK file, it can also get infected with ransomware unless the copy is in a cloud, on tape or air-gapped.
- Educate all employees on ransomware not just your IT staff: Social engineering and phishing schemes are effective when companies do not educate employees on the dangers of ransomware nor the specific activities that leave the company vulnerable. Establish a strong source of education, communication and support to ensure the entire company is equipped to avoid propagating a ransomware attack.