Ransomware of Things: real threats to FSIs
Distributed Denial of Service (DDoS) may continue to hunt the Internet of financial institutions but coming fast in 2017 will be Ransomware of Things (RoT). ESET senior security researcher Stephen Cobb (photo right) predicts system abuses such as DDoS will be accompanied by infestation of Internet of Things (IoT) with malicious code and holding computer systems and data files hostage (ransomware).
He warns of potential cross-pollination in 2017 for example, using infected IoT devices to extort commercial websites by threatening a DDoS attack, or locking IoT devices in order to charge a ransom, referring to this as “jackware”.
In case you think venerable technology brands are invulnerable, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) listed below some recent vulnerability updates of recognizable brands including:
- Cisco: Multiple vulnerabilities in Cisco IOS/ IOS XE and ASR 5000 Series Switch
- VMware: Multiple vulnerabilities in VMware ESXi and vSphere Data Protection
- Red Hat: Multiple vulnerabilities in Red Hat JBoss Core Services httpd
- Kaspersky: Multiple vulnerabilities in Kaspersky anti-virus and internet security products
Ransomware was first recounted by David Harley in 1989. Today the technologies behind this form of malware continue to grow in sophistication and perpetrators are, as such, emboldened by success.
Two-Factor Authentication (2FA) is no longer as secure as we think it is. In March 2016, ESET reported the Android banking Trojan, Android/Spy.Agent.SI, is able to intercept SMS communication and therefore bypass SMS-based 2FA. The Trojan campaign targeted large banks in Australia, New Zealand and Turkey stealing login credentials from 20 mobile banking apps.
Banking apps identified included those from Westpac, Bankwest, BNZ, ANZ, Commonwealth Bank of Australia, Wells Fargo and National Australia Bank. The Paypal app was also included.
In an exclusive with Fintech Innovation, Nick FitzGerald (photo right), ESET Senior Research Fellow noted that ransomware isn't going anywhere.
He warns that Jackware may infiltrate in 2017 noting that as IoT devices continue to gain mainstream adoption, the historically poor security stance of many such devices will become an increasingly significant issue.
“With banks using IoT to tailor customer experience and impact how they interact with customers, this could open them up to more attacks. IoT depends on ‘smart’ devices communicating and sharing information in real-time, and with mobile becoming a go-to channel for financial services, hackers could exploit vulnerabilities in mobile devices to penetrate networks or intercept and manipulate information,” explains FitzGerald.
Cobb believes there needs to be a collective international effort made on both a technical and political level, to stop the IoT giving way to the RoT.
“Traditional security techniques like filtering, encrypting, and authenticating can consume costly processing power and bandwidth. There has been a collective international failure to prevent a thriving criminal infrastructure evolving in cyberspace," he adds.
Should we pay ransomware?
“To pay (cybercriminals demanding a bitcoin ransom), or not to pay, that is the question,” muses FitzGerald.
On the morality of paying a ransom to cybercriminals who've attacked your system and encrypted your data, there's a multitude of opinions around.
“There's an undeniable argument that if you give in and pay the ransom, you've directly contributed to the wellbeing of criminality. And there's unlikely to be a money-back guarantee” says Harley.
FriztGerald warns, however, that it is often not that straightforward.
“In cases where there are no backups – which are all too common in small businesses – it's arguably ‘pay up or lose the data’, and if you don’t pay, the damage may be so severe that you go out of business. In such circumstances it’s understandable that companies may decide to pay up rather than commit financial suicide,” he adds.
But larger organizations should have better disaster recovery processes, whereby the cost or speed of recovery should not outweigh the ransom demand.
However, there are other scenarios than ransomware locking access to all your files. For instance, when a bank’s internet banking services were targeted by cybercriminals in a DDoS attack, it took close to two days to resolve the issue. In the banking world, two days can mean serious financial losses for the bank and their customers.
“Imagine you’re a senior executive at a bank, your online banking site is targeted by a massive DDoS attack and then you get a ransom demand to stop the attack. Would you pay?” muses FitzGerald, “And if so, how much? And if they then came back a few days later with a similar attack and a larger ransom demand?”
Planning for, and implementing, DDoS prevention services well in advance of needing them might be a large bank’s equivalent of a small business ensuring it has a good backup and restore system.
In November 2016, thousands of customers lost money from their accounts in a cyberattack launched against a UK bank. With as much as £600 siphoned from their accounts, this attack had far-reaching consequences, not only for the customers, but for the bank’s reputation.
“If you have properly prepared your system, ransomware is really nothing more than a nuisance”, says ESET Security Researcher, Lysa Myers (photo right).
Here are five precautions to take in order to prevent ransomware attacks.
- Back up your data: on an offline system that is disconnected from your devices and network when not in use. Be aware of precisely how any “continuous” and journaling backup systems you may have work, as these may end up containing only copies of the encrypted files, depending on how many generations of each file they retain. This is the single most important thing you can do.
- Keep your software up to date: Use reputable software repositories for both anti-malware software and a software firewall.
- Disable macros in Microsoft Office files: By doing so, you deactivate the use of one of the scripting languages most used by malware.
- Display hidden file extensions -- and look for double extensions: Windows and OSX hide known file extensions. Malware takes advantage of this.
- Filter EXE files in email; and disable RDP and files running from AppData / LocalAppData folders: Behavior used by ransomware often manifests itself in the above.
Ransomware "can be extremely scary", but it can be tackled with education and awareness. If anything good can come out of this ransomware trend, it is an understanding of the importance of performing regular, frequent backups to protect our valuable data.
Readers of Fintech Innovation may also want to watch this video offering guidance on recent ransomware malware and how to protect against them.
Feature photo courtesy of iStockPhoto.