In a notice released to the financial industry, FINRA warns firms across the nation about a rise in sophisticated ransomware attacks, with private client data being the target. Ransomware typically involves bad actors hacking into a firm’s database to gain access to or encrypt sensitive firm information. This hijacked data is then held until the demand for a ransom is met. Some ransomware attacks have become significant threats that include theft of data and bad actors’ ongoing network access.
FINRA has attributed the surge in these attacks to the ‘increased use of technology and continued adoption of cryptocurrencies, saying that bad actors use both to help conceal their identity when collecting ransomware payouts. Additionally, FINRA urges small firms to remain vigilant to these attacks, stating that bad actors, including sophisticated cyber criminals, organized crime syndicates, and state actors, have increasingly started to target small and mid-sized firms.
Though the threat of ransomware is serious, you and your firm can rest assured that there are tangible measures you can take to help reduce the risk of falling victim to an attack. By understanding what the most common forms of ransomware are, you can then ask the related questions to make sure your firm is ready in the event of an attack.
Common Attack Types and Things to Consider for Your Firm:
- Governance and Risk Assessment. Do your firm’s policies and procedures clearly define responsibilities for cybersecurity controls and related breaches, including ransomware attacks? Does your firm require staff to report ransomware risks, as well as related steps to address those risks, to senior management? Does your firm use tools, such as penetration testing and vulnerability scanning, to support your firm’s risk assessment?
- Asset Management Inventory. Does your firm maintain a comprehensive inventory of its hardware, software, data, and applications? As part of your firm’s inventory and related reviews, has your firm identified and addressed any at-risk hardware or software that is vulnerable to a ransomware attack?
- Technical Preventive and Detective Controls. Does your firm prioritize implementing controls on commonly targeted systems and devices?
- Does your firm require multi-factor authentication to access firm systems or devices? Has the firm evaluated its capabilities to detect and block sophisticated attacks using tools, such as endpoint detection and response, a host-based intrusion detection system, and a host-based intrusion prevention system?
- Is sensitive data encrypted to prevent it from being readable if a lousy actor copies this information outside of your firm’s network as part of a ransomware attack?
- Has your firm enabled the latest tools to restrict or limit access to firm systems, such as PowerShell and logging, restricting access to Remote Desktop Protocol services and access for admin tools, as well as using a file server resource manager (with restrictions on writing ransomware extensions)?
- Social Engineering and Phishing. Does your firm address social engineering and phishing risks for firm staff, including:
- Addressing such risks in your firm’s policies and procedures or by, for example:
- identifying phishing emails;
- clarifying that staff should not click on any links or open any attachments in phishing emails;
- requiring deletion of phishing emails; and
- ensuring proper resolution and remediation after phishing attacks?
- Training firm staff on such threats, tactics, and procedures used by bad actors and regularly conducting phishing email campaign simulations to evaluate employee understanding of and compliance with your firm’s phishing policies and procedures
- Implementing email scanning/filtering to monitor and block phishing and spam communication, including blocking known malicious sites and ransomware files, unmasking URLs, and noting risk and reputation ratings and previews of the target pages
- Addressing such risks in your firm’s policies and procedures or by, for example:
- Backups and Recovery. Does your firm keep offline encrypted backups of systems and data, which are not connected to the primary data source, to prevent bad actors from locking up the backup data with the primary data? Does your firm test its data recovery capabilities and backup processes on a regular basis, such as those referenced in the firm’s business continuity (BCP), disaster recovery, or incident response plans (IRP)?
