Video: State of Ransomware in Financial Services: Threats, Trends, and Countermeasures | Duration: 2048s | Summary: State of Ransomware in Financial Services: Threats, Trends, and Countermeasures | Chapters: Welcome and Introductions (8.88s), Ransomware in Finance (84.54s), Attack Surface Management (254.24s), Ransomware Attack Costs (307.95s), Threat Landscape Overview (562.685s), Financial Services Incidents (1066s), Financial Services Targeting (1424.665s), Conclusion and Recommendations (1682.15s)

Transcript for "State of Ransomware in Financial Services: Threats, Trends, and Countermeasures": Hello, everyone. Welcome. Give everyone a few minutes to tune in. This is being recorded. So anybody that that wants to watch us on demand will be able to come back and watch it, as you wish. And I guess on that note, we can go ahead and get started. Keith, thanks for joining me. Good to be here. Go ahead and oh, there we go. Give a quick intro to ourselves. So, Keith, I'll kick it over you to to to start. Yeah. My name is Keith Jarvis. I'm an Atlanta based, security researcher here at Sophos. I focus mostly on cybercrime, malware analysis, and tracking the groups that distribute, malware that's targeted at, for financial gain. I also build the automated systems that we use in CTU to sort of keep track of what's happening in the reference given given time. Thanks, Keith. And my name is Alex Rose. I do a couple of things here. One is leading our government partnerships around the globe, but then also sit within that research team that that Keith is in and help ensure that our research can make it to our customers, and other folks so that you can take action and and use the threat intelligence that we provide, in your day to day mission. So thank you everyone for joining us. We're here today to talk about ransomware in particular in financial services. And as we get started, I wanna give a little bit of a nod to a couple different reports that Sophos puts out every year. So we we have the broad state of ransomware report that that we issue, which is a really large survey of, cyber security IT leaders around the globe. But not only do we do the the large survey, but we we are able to parse that down into sector specific information. And so, one of those is the finance the financial services sector. And so today I'm gonna kick things off by talking a little bit about the the data that we've found from that survey, specific to the financial services. And I this report is about to be released, should be released shortly. So we're giving you an early preview into the stats and information there, but definitely don't hesitate to to reach out, check that out, so you can drill down into more questions that you might have. It's a really great resource. And then after I I run through some of this, Keith will also come back in and and talk through some of what we see from a broader threat landscape, what we're seeing in the counter threat unit, and how that might apply to you in financial services. So kicking things off, from that survey that we've done, you see a few numbers here in front of you that I think are really, really important. One the first one is talking about of the ransomware attacks that the these organizations fell victim to, 59% resulted in data encryption. That is pretty darn close to the average that we've seen across all sectors this this year. Not everything results in full data encryption, but it is still a really large number. And in order to get that data back, they they take a couple different routes. Some, are able to use backups. Many are able to use backups, but also a a pretty high number here. You you can see here 67% in financial services did pay the ransom to assist in getting their their information back. This is a bit higher than what we're seeing across the other industries. That's about 49, 50% that we see there. The third number that you see here, percentage that you see here, is that of exploited vulnerabilities. So that means that, the threat actor took advantage of an exploited vulnerability in order to gain access into the financial services, organizations impacted here. This is not unusual, Keith. I don't know if you have a comment or two on on this, but this is, of course, something we see across the board. Yeah. Really, it's all about, you know, attack surface management and, what you're presenting out there to the public Internet because we know that, almost the overwhelming majority of grants in our groups are just targeting people based on opportunity. And that means that if you're presenting yourself on the Internet with, you know, appliances and login panels, that they're eventually going to find them. And if there's not an exploit like we're talking about here, there's probably also a log in, there that's maybe protected by MFA, maybe not. Maybe those credentials have been exposed to a NIMAS dealer in the past, but that's the cheap way that folks are going to get into your network. It's either exploiting that appliance. Often a, you know, ironically, a security appliance, but there's not an exploit there. They're gonna get into, you know, conventional access. Yeah. Absolutely. Not unique to ransomware operators. It is that opportunity to get in no matter what kind of bad activity you're looking to do. So if we move on to the next, we'll we'll talk about a a few more numbers here. So these numbers, I or, you know, you start talking dollars and cents, and I think that it's an important piece for people to think about because, we know that the cost of a ransomware attack on an organization isn't small. And what we can see here in terms of financial services in in those surveyed that not only is the the amount demanded by the ransomware operators very high at $3,000,000, but that medium ransomware payment is $2,100,000. These are both well above the cross sector average that we are seeing, but they are indicative of the cost in general. The the cost to respond and deal with a ransomware attack is quite significant because you're not only dealing with the actual ransom payment for those who do choose to make the payment, but you're also dealing with recoveries. And so that recovery cost, you can see there, 375,000, on average. This is this is in line with what we're seeing across sectors. There's some outliers, of course, but, it's not a small amount to recover. And then you, of course, are thinking through your your broader security programs, what might you be missing. So how do you get to a place, that that helps you ensure you're defensible and trying to prevent these attacks as well? Definitely no small amount when we're talking these demands and the amount paid in terms of rent ransomware attacks. And I'm gonna move on to one last slide here with with some additional numbers. We won't, belabor that first point because we've already talked about data encryption, but I do think that second point is really important. Of of those that we surveyed who experienced the the ransomware attack and had their data encrypted, the vast majority were able to get that data back. And like I said, that's a combination between, using backups and paying the ransom ransom in, you know, potentially other other ways. But what's important here is that they did have a route to recover that data. I think, this kind of thing is something you think through when you're building out your incident response plan. And really important here is when you're exercising that plan. Keith, do you have any other thoughts before we we we dive deeper on that threat landscape? Yeah. It's almost always a combination of the two. If they choose to pay the ransom that they're gonna use backups exclusively, we'll also rely on, you know, the encryption keys that they get from the threat actor if they do follow through with their promise to return that. The key thing, like Alex said, is, like, testing your, you know, disaster recovery plans to make sure if you do have backups, most organizations do at this point, not that they're tested, but they're you can test them and verify them. Because when it comes time to actually do it, you know, during an incident, it'll become readily apparent to you if they're working or not. And likewise, if you do rely on that, decryptor software from the threat actors, you really are relying on the software development capabilities of somebody who probably hasn't thought a lot about your data's integrity when they're designing this thing. They're just trying to uphold their end of the deal in the barest possible way. So you really can't necessarily trust the data that comes out of that decryptor, once you've gotten it verified by, you know, hopefully a threat intelligence provider that can say, you know, this isn't just normal malware that we've received from the group. So, really, you have to think about, you know, the totality of your recovery, where your data resides, and how you intend to get it back. Yeah. Definitely not simple, and a complex thing while you're dealing with a crisis. And so, like, I think we both said that that preparation and rehearsal beforehand really can help you come through what is a, you know, a really terrible event, but at least come through, walking out the other end and not just trying to piece things together. And so, preparation is really important. And as we kind of shift here, we've spent these first few minutes talking about what we've learned from this survey. I I think it's really important to put it into broader context. And so how do we do that? Well, we're coming to you from the counter threat unit, which is the research group with inside XOPS and in in Sophos. And we spend our day, looking at the broad threat landscape, helping to put into context, is this a type of threat that's targeted to me towards my type of industry, my type of organization? Is it a type of threat that is, you know, something that everyone is dealing with and helping make sense of the data? Because there's new actors all day every day we're seeing new new entrance into this ransomware marketplace, and that can get confusing. And that's really where where we come in. And it is our job to know this In N Out. We're really lucky to have Keith here who is somebody that has known it In N Out for for years and years now. And it helps make sense of the information that we see. It helps us take this kind of survey data and put it in context with the broader landscape that we're seeing. So as we shift here, we're gonna talk a bit more about, the the threat landscape as we see it from our perspective. So meaning and Keith, you alluded to this a bit, so probably worth worth saying it again. When it comes to ransomware, when it comes to most types of criminal money making enterprises that are going on, It is not about targeting one specific industry. It is about the opportunity to get in. And so, I would say that there's some industries that might have more opportunity than others. Financial services luckily does a pretty darn good job, and, of course, that's due to a variety of regulations and other things. And Keith, I know you you've looked at how the financial sectors have been impacted throughout history. They do pretty well because of the history that they've gone through there. So before we jump in, if you have any other point to make on that. No. Yeah. It really is the case. If we were doing this webcast ten years ago and talking about financial services, it would be a different story about what the threat model is because there were a number of cyber criminal crews who were specifically targeting your industry. It's back when the days of banking botnets were out there, and they had, you know, custom web injects that could intercept your customers' transactions, their sessions online, and they were, essentially robbing the industry blind for many years through the early 2010s. Obviously, the industry caught up with that, and in doing so, they really diminished the capability of those threat actors to, get the large lucrative, you know, crimes through. And there was also the emergence of ransomware, which is a much easier way to monetize a compromised network. Those two things happen at the same time and really sort of, put financial services back into the bucket with the rest of the industry verticals where you're just another, organization that's in the pool of potential victims. Now, that's not necessarily always true, and we'll go over some of the points in the next slide. But, you know, there's still some opportunities for specific targeting of financial services, you know, if you're issuing gift cards or payment cards or if you're handling that type of data, there. Yeah. Absolutely. And on that, we'll go ahead and and skip into what we see here in terms of specific threats. So I'll turn it over to you, Keith, to talk through what we're we're seeing here, from our broader view. Right. Yeah. So just to reiterate, about 95 plus percent of the time, financial services organization is a victim of, you know, a ransomware group or a cyber criminal, you know, financially motive motivated cyber criminal group. It's good because of the opportunity presented itself, but there's certainly some situations that you have to think about that where your your threat model is, is gonna change as opposed to some other industries. One is that you're obviously especially if you're a custodial organization, you handle money, the transactions of money going from one place to the other, which is obvious interest to people who are involved with transaction fraud. There's also opportunities to compromise person identifiable information. So, PII. We know that when ransomware groups post that stuff on their leak sites, the thing they put up front and center is, like, you know, the scan of passports, the databases, the personnel details. So, that's the stuff they really key in on for leverage in a ransom negotiation and, of course, financial services to get you that super data. That being said, you know, if you are a commercial banking services, you know, company, you're probably going to see the downstream effects of one of the largest segments of Cyber Bank, which is business email compromise, that's intended to intercept, large monetary transactions, you know, whether it's between, you know, business to business transactions or, real estate deals, these types of things where large quantities are being wired. All that's usually being facilitated over email. So you're going to see if you have, you know, auditing on accounts, you're gonna see, like, the downstream effects of that from your customers who are gonna be victimized by that. So it's something to think about, largely from a fraud mitigation standpoint, but it's also data that's available to you. Some industries, especially in Latin America, you're gonna have malicious mobile apps that are capturing credentials. This happens a lot on both the commercial and the retail side. So, you know, sideloading apps onto a mobile device is much more common in certain regions in the world, Latin America being the primary example, North America less so. But if your customers are using a lot of mobile, apps to interface with your company or associated companies, they should be aware and you should be aware that there's a lot of stuff out there that's, you know, that's making its way onto the Google Play and Apple Store and marketplaces that's intending to mimic those real applications, but instead to either capture credentials or, you know, reroute money, as it's in flight. You're also going to see, you know, sort of money mules that that play a really important role in a lot of traditional cybercrime because you have to steal the money, you sort of have to launder the money, and then you have to get it back out into the real world so it could be used by the criminals, for their own, you know, personal, wealth creation and also to pay off the people that they have used services from along the way. So a lot of that is gonna, appear in the data that you may collect, you know, from your customers. You're seeing sort of accurate behavior, coming from them. People who don't normally do $50,000 wire transfers, and then all of a sudden, the receiving number, sending them, stuff like that is gonna make itself apparent in the data. And, again, to go back to, you know, one thing I mentioned earlier, again, you you think that at least in North America, we were the last ones to to sort of get off of the mag stripes on our payment cards, but they're still there. And there's still an opportunity for both card present and card not present type of fraud. So, in card present fraud, we're still seeing a lot of activity in, you you know, hardware skimmers that are going in retail locations, anywhere where there's any sort of terminal where people can put in a payment card. We're seeing, you know, an increase in that. But we're also seeing, you know, scraper spin onto, you know, retail websites where they're capturing that card data with the CVV code. And they're able to, you know, then use that for card non present fraud. So, both are still happening, you know, decades after we thought that we were going to solve this problem here in The States specifically. But it's still if you deal with any type of, you know, PCI framework payment card data, you really have to be aware of the fact that this is still a pretty vibrant part of who, is having. Yeah. And I think before we go to the next slide, financial services is always an interesting one to have a conversation about because you have it's so complex there. You have your own consumers. You you have businesses that you're supporting. You have the protection of your own business itself. And so there's just so many different layers to think about there. As we move to this next one, I think that Yeah. So we said it at the top of the, at the presentation is that we don't see a lot of compromises with financial services organizations. And, you know, if we're patting ourselves on the back, it's because, you know, there's, we invest so much in that particular industry in making sure things are safe because, you know, so much in the economy requires, you know, confidence in that industry to be safe for both consumers and for, you know, large companies to engage in commerce and not really have to worry about the rug being pulled out from underneath them. So, there's a large regulatory framework around it. There's a lot of money invested in resources at these organizations to make sure that security, if it doesn't come first, it's pretty close to coming first. So, but we do still, have a fair number of incidents at financial services, other companies, and I'll go through a few of those incidents. Not all of these resulted in ransomware. Again, you know, financial motivated cyber criminals come in all sorts of forms, just ransomware. But, here's a few things that we've seen over the last few months, just to give you some real world data on this. And a lot of these direct classes are stuff that we're seeing in every other industry, manufacturing, you name it. Right? So, BEC, sort of inbox rule modification is probably one of the most common things that we see on a day to day basis from a response perspective is somebody's account has been compromised. They get into the Outlook or G Suite email, and they're able to read, emails, get their bearings, figure out where they are. They're able to insert an inbox rule that maybe filters emails coming from a certain domain or with certain keywords, and they can put that into a separate folder that's not going to be seen by the original or the owner of that account. And they may use that to then, you know, spam other organizations, send you to your organization's reputation as a stepping stone to others. If you're handling those types of transactions, they may use that opportunity to modify those to divert payment to another account. But we see this as, you know, one of our highest quality incident types. Usually, that's facilitated in some form by, you know, a compromised account coming from a phishing email, which sort of sends you into what we call an adversary in the middle framework, which intercepts your credentials. If you enter them, it may present itself as an m three sixty five login screen. If you enter your credentials, if there's MFA on the account, then, you're gonna get that challenge, and you're gonna enter in that same adversary controlled account. And they're also gonna be able to then use that to authenticate into your environment and go ahead and then notify a human threat actor who's going to take over from there and start to do the sort of recurrence and steps to figure out right now, you know, what value. Another big vector we see for a lot of types of malware is, you know, drive by downloads where you could just browse on the web. You might come across something that's a fake CAPTCHA, or something that tries to convince you to update your browsing software. But in reality, it's just a a Trojan honest binary piece of malware. Usually, a, InfosDealer, a very common one is, you know, a quick fix framework into Luminess C2. But this is going to steal every credential that's stored on your system, all the stored cookies for active sessions. That stuff's going to get bundled up and usually resellable on many marketplaces, either on Telegram or self hosted, that are out there. And it's going to get sold to somebody, probably over answering my threat. I can see that money too great with that. And then going back to, you know, some of the compromises we've seen of appliances that are out there on the public internet, the common one we've seen is the Checkpoint CVE listed here. Saw that used against the financial services company recently. And when it's not like earlier, when we talked about when it's not a vulnerability that's in one of those appliances, it's one of the compromised accounts going to. So, you gotta worry about not just CVEs that haven't been patched, but you also have to worry about reinforcing attacks, you know, credential stuffing, and then the actual credentials that's stolen, maybe by, you know, Luma C2 or another info stealer from a previous. Right. So we've seen phishing that's not intended to steal credentials, but maybe intended for, end users to sort of convince them to do something unsafe, like allow, remote access software to be run on the system. That just gives threat actor the unfettered control of that machine, which they can use to install more persistent malware and then move laterally into, the network. So, that's a pretty frequent one. Exposure of data that's out there. So, if you have S3 buckets, that's a common one. That's one that I think got Capital One to much fanfare about six, seven years ago, but we see it still today. Somebody left a, you know, Elasticsearch cluster out there on a cloud provider, had some data on it, that data was stolen. So, you have to really, again, manage your attack surface, which you're presenting to the public internet, because people are getting. And then finally, going back to these, you know, security appliances you might agree. That that's kind of the the big irony here is that a lot of the appliances that you have on, you know, public Internet are gonna be there to make your organization more secure, ostensibly. Right? It's gonna be VPN concentrator or some sort of file sharing appliance, something like that, but those are the top targets for these groups. So, one thing that we've seen recently, especially the financial services, if you use something like SonicWall, you know, they had a breach a number of months ago where, their cloud configs were leaked, which had some credentials in it. And we're now seeing those threat actors start to use those credentials to come back to your environment. So, again, just to kind of reinforce it, like, this is nothing that's specifically targeted financial services. We might see any one of these points at, you know, any other industry. It's just this is this is what's happening to y'all. Yeah. Absolutely. It's definitely what's happening. We have seen each one of these in financial services and others. And so, we do make sure that as we're looking to understand the the threat landscape, that we we wanna point out if there's ever a time when something is targeted or a specific type of technology that we see more prevalent in one industry or another. But more often than not, when it comes to the money making side of things, it's apple absolutely opportunistic in nature. And so I think it's that makes it a little bit challenging because you you do have to focus on so many potential ways that they get in. But like you say, it comes down to understanding your attack surface, and then, of course, doing things like monitoring it. And actually, as we I say that I don't wanna get too far ahead because I think here in a moment, we'll talk a bit more about what do you take from this. But before we do, I think it's important to to dive into to what we're we're seeing from this is kind of like a numbers and percentage type type thing right. This isn't just the survey data. This is some other ways that we're looking at this data. So if you wanna talk about it briefly, what we're seeing here, Keith that'd be helpful. Right. So, again, we see, by virtue of these being times of opportunity, we see a broad impact across a lot of different, sectors. So if you were to compare those, you know, sectors with, you know, who Sophos provides protection for or their percentage of the, you know, the global, economy, you really the stats would sort of kind of flatten out and it would show you that trend that really everyone's a target because everyone presents themselves out there as a target in largely the same way. So, we see, you know, healthcare has gotten a reputation over the last several years as a prime target for, these groups. Things like that do happen where an industry, gets in the news because, obviously, a hospital gets encrypted and their operations shut down or services are being denied to patients. That makes a huge news story. And, you know, any PR is good PR for ransomware groups to a certain extent. So, there was a time there when a lot of these groups said, We specifically do want to go after healthcare, right? We do want to go after hospitals. So that does happen. It hasn't happened yet with financial services. None but good in the future. And what we see with the actual breaches at financial services companies is that the groups that are doing it are the groups that are responsible for the overwhelming volume of all of our other customers. So, the top slice here is the Quillen group. This is, amongst the probably the highest volume group that we deal with on a day to day basis, especially over the last six months, with breaches. And it's no surprise there that, you know, financial services are well represented in my groups' targets. Yeah. Absolutely. You know, there are anywhere between, you know, I would say on any given day, like, 75 to a 120 different ransomware groups out there in terms of the names that we're seeing and that we're tracking. And the one thing I often say is, don't get bogged down in the names of those groups. Focus on the tactics that they're using, which is a lot of what we're talking about here. Make sure you have a security partner that does understand the ins and outs of these. This is really our job to understand who does what, why, how they do it. One, to to prevent and detect ahead of anything that might happen, but then also for those that come to us for incident response that we can help you respond and recover. Right? So that's when it understanding how these groups operate and how each one might might operate really comes in handy. But day to day, I think it's most important to look at how they're doing, what they're doing, their TTPs that they're employing, and then the the making sure you're protecting against those. Because as names change, we often find that a detection or protection that we've created a few years ago applies today because the tactics aren't necessarily changing day in and day out. So as we get towards the end here, I think, any, discussion like this really should come with this. What does this mean for me? What do we do? Where do I focus? Yes, I've shared a bit of the data from our, ransomware survey that you will be able to gain access to here shortly. Keith has done a really great deep dive into what we're specifically seeing in this space in terms of the broad threat landscape. But at the end of the day, it comes down to how do we prevent, this kind of attack in in your environment. What are the things that you can do? And so we we've got a a few of these to talk through. And and, Keith, if you wouldn't mind maybe picking one or two that you think are most important to to drill into, as we close out here, that'd be really helpful. Yeah, sure. So, we've parked on the, externally exploitable vulnerabilities and talked about attack surface management. So it's obviously the key one. But, so much of cybercrime is really centered around identity. So, credentials, what they you know, how they sort of show up on your network, when you can detect if they've left your network in a malware incident and infostealer running. So, it used to be if you had an infosteeler, run on a system, well, it was just a reimage and reissue type of situation. But really, now you have to go down and do a full inventory of who was active on that system, what systems did they have access to. They really need to start, having a process for revoking credentials when there's any possible exposure because, like we said, maybe the threat actor that stole those was low capability, but there's a good chance that they'll sell it to somebody who will see you as a valuable target and will purchase those and then come in and do far more damage than that original threat actor could. So, moving to, you know, moving as many, you know, sort of login pages off your external facing, you know, sites is ideal. If they're out there, then they have multifactor authentication enabled on them. So, Microsoft have number matching turned on. So, ideally, you have sort of phishing resistant type of, you know, MFA tokens available to you, where they can't necessarily intercept that code. And then, you know, just use that right through their adversary in the middle framework. So, that's really, I think, a key thing that folks shouldn't be able to focus on is implementing those things and then really having good, you know, monitoring of that to to know when things don't look more often. Yeah. Absolutely. I think that monitoring piece is really, really, really crucial because I think people are and organizations are doing a pretty great job of purchasing some of the right technologies and capabilities to protect them, but that monitoring is absolutely key. It's not always gonna be this loud, you know, like, siren blaring in the background that something's going on. You have to have your monitoring plan. You need to be building your response plan, exercising that. And like you say, it's eyes on what's going on so that you can see when something is is different, wrong, and should, need that extra inspection. And so I think that really closes things out for us. We really appreciate everyone taking the time to listen to what we had to talk about here, talking about the threat landscape, what we're seeing in terms of ransomware in particular for the financial services sector. But as always, we're here. Please don't hesitate to reach out. We're happy to have these conversations with with you, help, you know, establish the the right program for where you are. And I think the last bit that I will say, cybersecurity is not an all or nothing game here. No matter your industry, incremental progress really, really matters. And so whether that next step is I need to really get a hold on my vulnerability management program. Oh, I need I I've got some some monitoring here and there. I actually need to refocus that a little bit, or I need to hone in. I I'm ready to to understand what's going on with my identity, across my environment. Each step that you take is really, really important in in helping stop these attacks. So not all or nothing. Just keep making progress in what you're doing. And that's it for us. Thank you.