By John O’ Connell
The recent ransomware attack by DarkSide on the Colonial Pipeline highlights how crippling ransomware attacks can be on a business. Colonial Pipeline was forced to shut down operations for 6 days after their files were encrypted by DarkSide. They paid a cryptocurrency ransom of $5m to get the decryption keys.
Can this happen to a financial services firm? Absolutely and it has. Can this cripple your firm? Guaranteed. This article discusses the risks of ransomware, what is ransomware, how it works, the costs of paying and denying the ransom, and how you can protect your firm now.
Ransomware is a lucrative and growing business.
Ransomware attacks are on the rise with a 62% increase globally and a 158% increase in 2019 in North America. Homeland Security Secretary Alejandro Mayorkas stated on Wednesday that the rate of ransomware attacks in the US increased 300% in 2020 with three-quarters of the victims being small businesses who paid a total of over $350 million in ransoms. The average ransom exceeds $225,000.
DarkSide had brought in at least $60 million since it popped up in August 2020 through March 2021 according to cryptocurrency research firm Chainalysis. That is incredible revenue generated by effectively a start-up actor in the ransomware space.
The Colonial Pipeline ransomware attack was part of a double extortion scheme. DarkSide stated that the information would remain locked unless Colonial paid the ransom and threatened to leak the stolen data to the internet. Colonial had little choice but to pay the ransom, especially if sensitive data was compromised.
DarkSide hinted at a new revenue stream in April offering to sell their list of targeted companies so that buyers can short the stock before a ransom request is sent to the target. This heightens the threat to a targeted firm: pay or your data stays encrypted, it is sold to the highest bidder, and your stock is shorted in the market.
Remote work has been a boon for the ransomware industry.
Ransomware attacks have become significantly more sophisticated with new open-source tools, fast technology innovation, and more soft targets with most workers remotely accessing systems from home. Remote workers are likely to have low or no security standards on their home networks. They are also more likely to access the corporate systems through unsecure wireless networks like their local coffee shop. They will likely access corporate systems without the use of any encryption capabilities like Virtual Private Networks or VPNs. They are also more likely to access corporate systems, like their email, from their phones. All of these represent vulnerabilities and an entry point for malicious software.
The reality is that the wealth management industry, with large dollar amounts published as assets under management and assets under advisement, are attractive targets for ransomware actors like DarkSide. There are not many firms who are likely to easily absorb a million-dollar ransom or risk their client list, holdings, advisor’s salaries, or the salaries of their executive team published for their competitors to see.
The far reach of a small ransomware attack
The Colonial Pipeline attack had far reaching implications as the 5,500-mile pipeline supplies 45% of the East Coast’s diesel, jet fuel, and gasoline supplies. The pipeline runs from Houston, Texas to Linden, New Jersey. The loss of pipeline operations caused gas prices throughout the East Coast of the United States to reach their highest per gallon prices since 2014 and the federal government issued an emergency declaration for 17 states and the District of Columbia.
This high-profile attack brought much needed attention to a growing problem for companies globally. An examination of this attack shows how vulnerable companies can be.
DarkSide infiltrated Colonial’s systems on Thursday, May 8th and copied and encrypted nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours. DarkSide notified Colonial of their ransom demand of $5 million paid in cryptocurrency to provide Colonial with the decryption keys.
How do these attacks work?
The attacks typically start with an employee or contractor receiving an email with an attachment that includes malicious code. The attachment can be a video, pdf, or Microsoft Office document file. Attackers also use website links disguised as links from commonly used services like Amazon, Spotify, Netflix, and others. The employee or contractor clicks on the link or opens the attachment, and the malicious software installs itself onto the computer.
Like a physical virus, the malicious software begins to replicate itself onto other files on the computer and eventually to the company network. These software programs will quietly live in your network for weeks or months while the intruders learn about your networks and software.
The Marriott breach that affected up to 339 million accounts was detected in a reservation system in 2018. The investigation found that the network had been compromised sometime in 2014. The malicious software collected information about Marriott’s systems and customers for four years before it was detected.
Once the intruders know enough about your network, they will begin to learn about your information. They will target critical systems that contain legal, human resources, client, and financial information as this data can cause the most harm to a company.
The intruders will rapidly copy large amounts of your information to their servers, encrypt your data, and then send you the ransom request. Many firms have little choice at that point than to pay the ransom or lose the data and start from scratch.
Ransomware-as-a-service has emerged with a supply chain for ransomware attacks. One group may harvest information, such as the email addresses of their target company, using social engineering. They will sell that information to another group that will email the list of employees and contractors to find a vulnerability and send malicious software as a payload within infected attachments. Once they access a company’s systems, they will sell that access to another group who will deploy the ransomware and then extract the ransom from the company.
Ransomware attacks are costly.
The City of Riviera Beach, Florida was attacked by a ransomware group in the summer of 2019 and when the city council was asked to vote on paying the 65 bitcoins ransom, the vote was a unanimous 5-0 decision to pay $592,000 to obtain the decryption keys and recover the city’s information.
A recent study by market research firm CyberEdge Group shows a growing trend in companies retrieving their data when they pay the ransom. The study reveals that 49 percent of ransom payers recovered their data in 2018. That number rose to 61 percent in 2019 and rose again to 67 percent in 2020.
The price of not paying the ransom in many cases can be much higher. The city of Baltimore was attacked in May 2019 and decided not to pay the 13 bitcoins ransom, worth $76,000 at the time. The city spent more than $10 million on consulting, software, and hardware while losing $8 million in revenue and was unable to access systems for nearly three months.
Many companies cannot afford the downtime associated with a ransomware attack or its reputational impact. Grubman Shire Meiselas & Sacks Law firm is based in New York City and offers specialized legal services to people involved in the entertainment industry, including music, film, television, and theater artists. The firm confirmed in May 2020 that its computer networks were taken over by the REvil ransomware group.
The group had copied 756 gigabytes of data, including personal and legal information related to a host of celebrities. The ransom started at $21 million and doubled to $42 million when the group realized that they had legal documents related to Donald Trump. The firm did not pay the ransom and some of the files were presented for an auction on the dark web. These files included information related to Jennifer Lopez, Robert DeNiro, Christina Aguilera, Sean Puffy Combs, Priyanka Chopra, the Kardashian sisters & family, Madonna, Nicki Minaj, and Dwayne Johnson. This shows the devastating effect that refusing to pay the double extortion ransom can cause for a firm.
You must protect your firm.
There are typically multiple opportunities for your company to find and stop the ransomware attack before the attackers copy your data. All of these steps start with the chief executive making cybersecurity a priority to protect the firm.
Protecting your wealth management firm starts with educating your staff on the perils of unknown email attachments and social engineering techniques used by bad actors. Your technology leader should implement an initial training program and then conduct periodic tests to identify personnel who would benefit from additional training. Finding the right training partner for your firm should include understanding their testing and recurring training capabilities.
Your technology leader should implement well defined remote worker policies and technologies. The policies focus on training your remote workers to safely access your corporate systems from their homes and other locations, including the local coffee shop. The training should include how to use their phones to access company information and what information should never be accessed from a mobile device.
The training must be coupled with technologies like VPNs, local encryption for laptops, and other solutions that enable your IT team to remotely manage the equipment that accesses your firm’s systems.
You can start now.
Cybersecurity professionals will tell you that you can never eliminate the threats to your firm. You can reduce the risk to your firm by educating your team on best practices and making your firm a more difficult target. The process will not be completed overnight, but you can start now. Start with a great plan, support from the firm’s leadership team, and clear communication to all of the staff.