By Niall Sheffield, Lead Solutions Architect at SentinelOne
With its ability to cripple an organisation after a single click, ransomware has emerged as one of the leading cyber threats facing organisations in recent years.
The abundance of high value information owned by financial organisations means they are more threatened by attackers looking to steal data rather than encrypting it. However, the financial services industry is still at serious risk of ransomware, and research from SentinelOne revealed that 49 percent of organisations had been hit with attacks in the last 12 months alone.
The research carried out in February 2018 surveyed security and risk professionals at 500 businesses on their experiences with ransomware. Of the respondents in the financial services industry, 28 percent had been targeted by at least 5-6 attacks in the last year alone.
Breaking down the costs
The cost of a ransomware infection can escalate extremely quickly. Even if the firm does not or cannot pay the ransom demand, lost revenue from the downtime and the time and resources needed to contain the outbreak and restore back-ups can add up to hundreds of thousands of pounds.
SentinelOne’s research found the average total cost of a ransomware infection in the financial sector was £467,748 for the last 12 months. Further, 14 percent of respondents had suffered total costs of a staggering £1m to £1.5m. SentinelOne estimates that ransomware attacks cost UK businesses a combined £356m over the last year.
When it comes to the actual ransom demand, 17 percent of respondents in the financial sector stated they had paid the full ransom each time they were compromised by an attack.The average value of the ransoms paid by the industry over the last 12 months stood at £37,812 – slightly higher than the overall average across all sectors of £34,845.
No honour among thieves
Paying a ransom is an extremely risky choice and there are many incidents where attackers have not decrypted the files even after taking the money. While this is sometimes a final act of malice by the criminal, the failure to honour the deal is often because the ransomware was poorly constructed and is unable to decrypt the files.
One of the most recent examples of this issue was the Thanatos ransomware, which demanded a payment in bitcoins. The malware created new keys for each encryption but failed to save them anywhere, making it impossible for the perpetrators to undo their damage.
Giving into the criminal’s demands also helps to perpetuate the threat, as each ransom paid adds credence to the notion that ransomware is a reliable money-maker.
While the total amount paid tended to be higher, the financial services sector stands as one of the most resistant to giving into payment demands.66 percent of respondents stated they had not paid any of the ransoms in the last 12 months and were able to restore their operations via rolling back to a prior date or decrypting the files. This was significantly higher than the 46 percent average across other business sectors.
Preventing an outbreak
While it is encouraging that so many financial services firms were able to avoid ransoms by restoring their own systems, this is still a costly process. SentinelOne’s research found that the amount of time spent decrypting ransomware attacks stood at an average of 40 man-hours, an increase from 33 man-hours in 2016. The extra resources required to resolve the crisis, along with the cost of disruption, means that resolving an infection is still apyrrhic victory.
Instead, businesses are much better served by ensuring they can prevent an outbreak from occurring at all. The majority of attacks begin by compromising a single endpoint device before moving laterally through the network, so endpoints should be the focus on defensive efforts.
The key to preventing an infection taking hold is to spot the malware the moment it tries to start digging into the system. This can be achieved by scanning the system’s binary for the unique activity undertaken by ransomware, such as binary entropy, a sign of the obfuscation and packing activity common in ransomware.
Identifying activity such as scanning the hard drive, rapidly initiating file encryption, and editing shadow copies will also quickly reveal a ransomware attack has begun. Behavioural analytics is very useful here, as typical ransomware activity is quite distinct from normal user behaviour and therefore easily identified. Catching these signifiers in real time means the attack can be shut-down before it spreads to the network and the infected endpoint can then be restored.
By equipping themselves with the ability to identify and stop a ransomware attack as soon as it begins, financial organisations can protect their valuable data from being encrypted and prevent disruption to their services. While the sector is further along this journey than many others, this ability must be universal if the threat of ransomware is to be truly defeated.