The Risk and Impact of Ransomware Attacks in the Financial Services Sector

Ransomware attacks in the financial sector keep rising in frequency and intensity. Learn what makes financial institutions a top target for cybercriminals, how some of the most significant recent attacks unfolded, and how organizations can improve their defensive posture.

By Diana
5 min read

Today’s cybercriminals are using increasingly sophisticated techniques to secure massive ransoms. As a result of their quickly changing methods, even the most security-conscious institutions are at risk. The financial services industry imposes some of the strictest security measures, yet major financial services organizations have fallen victim to costly attacks.

Governments around the world hold financial services organizations to high security standards, enacting a web of intricate regulations, such as SOX, GDPR and PCI DSS, designed to improve cybersecurity. To stop cybercriminals and maintain compliance with these regulations, institutions put considerable resources into security measures. Despite this emphasis on digital defenses, bad actors often find a way to infiltrate networks, encrypt data, and demand massive ransoms from organizations.

A recent study highlights the massive impact of ransomware on this sector. In 2021, financial services organizations spent over $2 million on average in response to ransomware incidents. This figure includes the money spent on actual ransoms, as well as the costs resulting from related disruptions.

What Makes the Financial Sector a Top Target for Ransomware Attacks

While cyberattacks occur across industries, the finance sector is an especially attractive target to cybercriminals for three main reasons.

1. Big Potential Payouts

Financial institutions gather large amounts of information about clients, partners, and employees. This sensitive data makes financial services organizations ideal targets for double-extortion attacks. In these attacks, the bad actors first steal data and then encrypt important systems. Then, they threaten its release as a way of pressuring the company to pay a ransom. This double-extortion technique increases the likelihood of a big payout. Organizations are more likely to pay the ransom as the release of stolen data could erode trust in their brand and severely damage their reputation.

2. Increased Attack Surface

As technology becomes increasingly efficient, financial organizations are digitizing more of their operations. Advancements in artificial intelligence, data analytics, and cloud technology have made digital transactions a much more efficient way of doing business. While these types of optimizations tend to improve a company’s everyday operations, they also give cybercriminals a wider attack surface to exploit.

In the interest of providing a better customer experience, institutions are partnering with third-party providers, collecting more data, and tailoring new digital systems. All of this complicates the network of data and communications. Today’s cybercriminals no longer have to attack their prime target directly. By exploiting a vulnerability in a third-party partner, bad actors can forge a roundabout path toward the network of a larger target institution.

3. The Challenge to Secure Digital Assets

Managing and securing digital assets is a complex task. Not only are most existing systems extremely intricate, but they’re also evolving at rapid rates, putting pressure on organizations to stay up to date with the right monitoring and management technologies and protocols. Even the most experienced professionals require constant training to keep up with the latest digital landscape and in-use systems, and stay ahead of new and evolving threats.

Significant Ransomware Attacks on the Financial Sector

In recent years, several high-profile institutions have suffered debilitating attacks, despite maintaining compliance with government regulations and investing heavily in cybersecurity.

AvosLocker Attack on Community Banking Service Provider Pacific City Bank

A 2021 ransomware attack on Pacific City Bank (PCB), one of America’s leading Korean-American community financial service providers, emphasizes the challenges of protecting sensitive data. AvosLocker, a group relatively new to the cyber landscape, claimed credit for the security breach. The attackers focus on disabling endpoint security solutions by rebooting compromised systems into Windows Safe Mode. This method enables them to encrypt the victim’s files more easily since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.

When the group targeted Pacific City Bank, they managed to extract loan application forms, tax return documents, W-2 information of client firms, payroll records of client firms, full names, addresses, social security numbers, wage and tax details. Pacific City responded by alerting all of its clients about the breach. Anyone whose information might have been involved was advised to monitor their personal finances for potential fraud.

Sodinokibi (REvil) Attack on Foreign Exchange Company Travelex

Sodinokibi, also known as ‘REvil’, is a ransomware-as-a-service (RaaS) model that targets Windows systems to encrypt important files. The group uses multiple infection vectors, including exploiting known security vulnerabilities and conducting targeted phishing campaigns.

In the case of Travelex, a massive foreign exchange company that processes more than 5,000 transactions an hour, the company took several months to patch critical vulnerabilities in its Pulse Secure VPN server. Travelex had seven unsecured Pulse Secure servers but waited eight months after the vulnerability disclosure to patch the issues. Their subsequent lack of urgency is what gave the Sodinokibi group an opening to attack.

The consequences of the attack were far-reaching: Travelex websites in at least 20 countries went offline, employees in many retail locations had to carry out tasks manually, global banking partners such as Barclays, First Direct, HSBC, Sainsbury’s Bank, Tesco and Virgin Money had no way to buy or sell foreign currency. Also, to return the 5 GB of successfully exfiltrated sensitive customer data, the attackers demanded $6 million.

Conti Attack on Bank Indonesia

A recent attack on Indonesia’s central bank showed that government-run institutions are just as targeted as their private-sector counterparts. Conti, a Ransomware-as-a-Service that spreads mainly through TrickBot infections, claimed it stole approximately 14 GB worth of files from the central bank of Indonesia. Conti also uses a variety of attack vectors, including misconfigured or poorly protected RDP, purchased or stolen access credentials, or newly published critical vulnerabilities.

Indonesian officials have reported that the criminals failed to access much of the institution’s internal data, a fact they attributed to anticipatory measures. However, the attackers threatened to leak the 14 GB worth of documents if the bank did not pay the ransom.

How Financial Institutions Can Prevent Ransomware Attacks

The substantial potential payouts, the widening attack surface, and the challenge to protect digital assets make financial services institutions prime targets for cybercriminals. With several reputable organizations falling victim only in recent months, no enterprise is safe from the threat. Financial services companies should take practical steps to decrease the probability of suffering an attack. An effective cybersecurity approach should involve two primary components:

  • Continuous employee training
  • Machine-intelligent email security systems

With a comprehensive two-pronged approach, financial services organizations can better strengthen their defenses.

Investing in Continuous Employee Security Awareness Training

To avoid falling victim to email-based attacks, employees must know what to look for. While a single awareness session can provide a baseline of general information, continuous training is necessary to keep everyone up to date on the latest threats. Regular training can turn a company’s workforce into an important line of defense against cybercriminal activity.

Employees will feel empowered to spot malicious emails and report incidents to the cybersecurity team. If a fraudulent email reaches their inbox, they’ll identify the tell-tale signs of the attack to the best of their abilities. Not only will training protect against potential email threats, but it will also improve employee morale and engagement.

Adopting Machine-Intelligent Email Security Solutions

The majority of cybercriminals use email to infiltrate an organization’s network, encrypt data, and demand a ransom. The combination of human error and insufficient email technology provides them with a potential window to exploit. By using machine-intelligent programs to flag and block suspicious emails, financial services organizations can considerably bolster this key area of vulnerability.

Machine-intelligent systems understand the local context, communication relationships and behavior within an organization, and leverage this understanding to detect and stop correspondence that falls outside typical norms of communication behavior. Unlike traditional email security defenses, they are able to prevent advanced threats, such as zero-day ones, and protect organizations from data loss, disruption and other damage caused by ransomware attacks.

To learn about how xorlab’s machine-intelligent software can protect your organization against ransomware attacks, request a demo today.