By Paul Prudhomme, Head of Threat Intelligence Advisory at Rapid7

Ransomware poses a significant challenge for security teams in the financial sector. Rapid7 has been keeping a close eye on the trending escalation in this threat.

It is well-known that ransomware gangs do not target sectors on a whim, but that their attacks are highly targeted. These adversaries gravitate towards the sectors they think are most likely to meet their demands in order to avoid immense damage.

The finance sector is an attractive target for ransomware attacks because of the sheer volume of data and critical services managed by financial institutions. Any downtime or leaked data in this industry can affect thousands, if not millions of customers. Therefore, the prospect of threat actors stealing and ultimately leaking sensitive data to extort more money in the second layer of a  “double extortion” ransomware attack has security teams rightfully concerned.

Rapid7’s investigations found that financial data was the most likely to appear in a ransomware data disclosure, accounting for 63% of all leaked data between April 2020 and February 2022. So, as ransomware threats continue to dominate this sector, it’s important that organisations identify the vulnerable assets on their networks and how threat actors are exploiting them.

Most targeted categories in financial services data

Threat actors have been upgrading their tactics with the changing times. They have come to realise that focusing on monetary information from the sector will not give them the economic benefit that they desire. It would seem obvious that if they are hacking the financial sector, the monetary data would be the focus. Instead, the ransomware gangs are targeting customer data, and at the same time, they are aiming to leak employees’ personally identifiable information (PII) and HR data.

According to our research, since April 2020, 82% of disclosures from financial services organisations included customer data, and employee PII and HR data was found in 59% of disclosures. Furthermore, in 29% of cases, data disclosures included reconnaissance details that other adversaries could use to further victimise the targeted institution in the future.

Point of focus within financial services

By understanding the patterns that the ransomware groups follow, it is clear that rather than focusing on the industry or the firms, these attackers target individual people and threaten to leak personal information. Could this be because the gangs are aware that the weakest link of any organisation is its people? Targeting client information and threatening to leak it not only jeopardises the values and the reputation of the firm, but it also exerts pressure on financial institutions by hitting them where it hurts – the trust of their customers and employees.

Financial as well as personal information of the individual is at utmost risk from these gangs. Not only do they have access to the employees’ and the customers’ private information, but they also make customers and employees vulnerable to identity theft. The priority, then, should be to reduce the risk of falling victim to a ransomware attack in the first place.

Protection against ransomware gangs

While there isn’t a definitive way to ensure that every bit of data within a corporate network is protected, there are certain practices that an organisation can implement to improve their chances against ransomware attacks. One of the easiest ways to ensure protection from data leakage is to recognise and prioritise the types of data that need extra protection. This includes the kinds of data that adversaries target most frequently, or the types of data that provide bad actors with the most profit.

To ensure that cyber criminals do not get their hands on crucial information, it is of paramount importance that firms go beyond just backing up their data. There is no guarantee that an attacker will completely give up control of compromised information even after the ransom is paid. Therefore, organisations should encrypt their most sensitive data sets and segment key assets to reduce the likelihood that attacks will gain access to them. These practices ensure that if a ransomware attack takes place, the threat actors will not be able to access the data at all, or if they do access it, it will be useless in encrypted form.

With the ransomware threat showing no sign of slowing down, it’s vital that every organisation across the financial sector remain aware of the risks posed to their own business as well as to their customers. Taking action to implement the appropriate measures outlined here should be a top priority for any financial firm looking to maintain cyber resilience, ensure the protection of employee and customer data, and uphold their reputation.