How financial institutions can avoid re-infection in the age of ransomware

Martin Brown, GVP EMEA and APJ, Rubrik

Over the past few years, ransomware has been dominating headlines across the world. It has evolved from small-time hackers to a lucrative economy run by sophisticated cybercriminal gangs and even state-sponsored groups. It continues to pose a threat to financial services organisations of all sizes. In fact, a recent study from Rubrik Zero Labs uncovered that 99% of global IT and security leaders were made aware of at least one attack in 2022.

And while the financial sector is now generally more aware of the dangers of ransomware infection, many leaders still don’t have a good idea of what to do when – not if – they come under attack.

According to Gartner, the cost of recovery and the resulting downtime in the aftermath of a ransomware attack can be 10 to 15 times more than the ransom itself. At present, the focus remains on prevention, rather than recovery. It’s clear the time has come for the mindset to shift, and businesses – particularly high-risk FSIs – can’t afford to ignore this. But, how do these organisations recover quickly and efficiently? And most importantly, how do they avoid reinfection?

Paying out isn’t the only way out 

Some FSI business leaders are still unaware of exactly what happens when they have been hit by a ransomware attack, and some believe that operations can resume immediately once they get back the keys to their data.

Rubrik Zero Labs recently found that 72% of organisations reported paying ransomware demands last year. It’s no surprise then that in the US alone, US banks and financial institutions processed approximately $1.2 billion in ransomware payments in 2021.

But paying out isn’t the way out. The reality is that even after paying, you’re not guaranteed to get all, if any, of your data back as hackers may retain some data or only return parts of it. Especially if the business falls victim to the growing threat of double extortion ransomware. In fact, research from Zscaler’s ThreatLabz unit has found a nearly 120% growth in double extortion ransomware. Even after paying up, recovery can take days or even weeks to restart all operations. Of those that paid ransomware, only 16% were able to recover all of their data. With double extortion, this type of dual-pronged attack not only places organisations at risk for downtime but also regulatory compliance failure from the leakage of sensitive data.

Financial services businesses are sitting on a sea of sensitive data. For these businesses, data security is becoming increasingly complex as mission-critical datasets rapidly grow and become more distributed. This makes the need to invest in and build a solid, multi-level recovery plan so that they can avoid paying ransom, even greater. It is no longer a nice-to-have but a must-have. And, importantly, a remediation plan requires intelligent impact analysis and data loss prevention as core elements. You need to hunt and contain impacted files, and you need to understand exactly what sensitive data has been compromised and who has access to it before you switch the lights back on.

After all, there is no point in using company time and resources to try to get back the data if you are blind to what you need to recover.

Remediation that you can bank on to avoid reinfection 

So, how do you build a remediation plan? FSI businesses should create a detailed playbook that outlines the people involved, the policies and procedures and the resources needed. While staffing, stakeholder notification and processes, are all vitally important, intelligent investigation needs to be at the heart of this to enable detection, analysis and rapid recovery without reinfection.

First of all, these businesses need to create a blueprint during times of peace. It goes without saying that proper preparation prevents poor performance. This plan must determine the most business-critical applications, files and systems within an enterprise’s network for each department to function properly and to ensure the health and safety of customers and employees. These systems are at the front of the queue for recovery and having a plan in place enables testing effective recovery in a controlled environment. What’s more, regularly reviewing critical applications also supports auditing and compliance efforts, especially in a high-risk and highly-regulated industry like financial services.

Before deciding on a response to any attack, it is essential to analyse and understand the ransomware. As such, the business’ playbook should provide guidance on how to collect information and decipher what technologies and techniques were used. Questions to determine the exact blast radius should be: what vulnerabilities did the attackers exploit? How could they further exploit them? What methods did they use to gain initial access and did they acquire any credentials? What data is exposed and what files have been encrypted?

Machine learning-powered anomaly detection and threat impact analysis – which identifies data patterns that deviate from a dataset’s normal behaviour – can determine quickly whether sensitive data was lost or not and help limit regulatory fines and costs related to breach notification. And of course, reducing the amount of sensitive information exposed to ransomware reduces the time and effort needed for recovery.

The real key to avoiding reinfection, though, is quarantining the ransomware through an isolated recovery zone. Through selective file-level, object-level, and application-level restoration, a business can recover their most important applications in a contained environment, clean and remediate them and restart the services that support them, before moving them back to the production environment. Security teams need to work together to eradicate all traces of the ransomware incident so the attacker can’t renew the attack later on.

Unfortunately, the likelihood of ransomware attacks is only increasing in the current landscape. Therefore, financial businesses must always assume a breach is going to happen. The future is about rapid recovery. Paying isn’t the only way out, but a remediation plan with intelligent impact analysis at the centre will enable FSI firms to determine what sensitive data has been compromised, who has access to it and the best course of action for recovery. This is the reality of avoiding reinfection.