fbpx
Try it free

Protecting Banks from Ransomware in the Cloud

The Financial Industry’s Ransomware Problem—and the solution
Given that attacks are inevitable, what can banks do to protect themselves from ransomware?
Share This Post

At first glance, ransomware protection might seem straightforward: back up your data, and then use those backups to bounce back if attackers breach your systems and demand a ransom. However, the reality is far more complex—it’s not just about having a plan, but having a robust strategy that can withstand the ever-evolving cybercriminal tactics.

One of these tactics? Targeting backups themselves – an increasingly critical risk for banks, especially if they are not prepared.

The Financial Industry’s Ransomware Problem: The Potential for Devastating Impact

It’s no secret that cyber threats and digital disruptions are on the rise for all sectors, but specifically for the financial industry, it is particularly concerning. Attacks can potentially impact everything from personal savings accounts to small businesses that rely on banking services.

But that’s not all.

Why are banks such attractive targets? Aside from possessing massive amounts of sensitive data, they can afford to pay large ransoms and have intense pressure to prevent an industry-wide collapse. A single successful attack on a bank can cause a chain reaction, potentially destabilizing the entire financial system.

New compliance measures like DORA are emerging for exactly this reason –to make it imperative to implement robust compliance measures and maintain industry safety and stability as a whole.

The financial services industry is becoming increasingly vulnerable to ransomware with a significant spike in incidents –last year 64% of financial entities being surveyed reported being hit by ransomware.

Supply Chain Sabotage: How a Single Vulnerability Brought Chaos to the Banking Sector

Let’s examine a recent, significant ransomware attack from May 2023 – a major supply chain breach that targeted numerous banks, with its repercussions still being felt today.

The CLOP ransomware group exploited a security flaw in MOVEit Transfer software – widely used by many financial institutions, including banks, to facilitate secure file transfers.

The vulnerability (along with the attackers’ sophisticated methods) allowed them to gain unauthorized access to victim networks, using a malicious script to gain access and control the servers.

The result? At least 10 American banks and credit unions were affected. The attackers encrypted systems, gained access to victim networks and stole sensitive data including names, addresses, birthdates, Social Security numbers, and other personal information.

Banks affected included 1st Source Bank, First National Bankers Bank, and Putnam Investments. The attack resulted in significant disruptions, with some financial institutions forced to close branches and temporarily limit operations. The full extent of the data breach and financial impact is still being assessed, but it represents a major supply chain attack targeting the financial sector through vulnerable file transfer software.

How Prolonged Malicious Infiltration Can Target a Bank’s Backups

In the CLOP attack, bad actors exploited a security vulnerability to gain access financial institutions’ network, however there are various ways bank data can be compromised (which we’ll get to in a bit). But one common and devastating consequence of infiltration is the backup attack scenario, which often follows an initial breach.

Many times the attackers quietly infiltrate and remain undetected within a bank’s network for weeks or even months. This extended access provides them ample time to study the systems, identify key targets, and inevitably locate backup files. During this time, they can systematically encrypt backups, rendering them useless and ensuring that the bank cannot recover their data without paying the ransom. Meanwhile, the attackers carefully prepare for their ransom demands, threatening to publicly disclose the stolen data unless their terms are met. This prolonged undetected access makes the attack even more damaging, as banks are blindsided when the full scope of the breach was realized.

Understanding Backups in the Context of Ransomware

The IDC reports that 51% of ransomware attacks in 2023 attempted to destroy backups, with 60% of these attempts succeeding.

How do we distinguish backups from our production data, exactly?

Historically, ransomware focused on encrypting “live” production data like databases and email servers to disrupt business.

But in addition to production data, banks typically also possess data backups — point-in-time copies of production data that can be used to restore systems if the original data is compromised. Backup data typically is not identical to production data because following a backup, production data will change. But if you create backups frequently enough (and by “frequently enough,” we mean factoring in your organization’s RPO needs), the difference between backup data and production data will not be significant enough to prevent successful recovery using backups.

As long as you can access your backups, and they are recent enough to restore systems to an operational state, you’ll be able to recover using backups in the event of a ransomware attack with the need to pay a ransom.

Common Methods Bad Actors Use to Penetrate Systems and Target Backups

So how do bad actors penetrate systems in the first place? There are various methods:

  • Stolen admin credentials: If attackers steal login credentials for someone who has access to both production and backup systems, such as an IT employee, they may be able to log in as that employee and delete backups.
  • Social engineering: Attackers could also use phishing or a similar social engineering technique to trick an employee into deleting backup data. For example, a threat actor could impersonate an IT manager or director and instruct an employee to delete backups, claiming that it’s necessary to free up disk space.
  • Compromised backup tools: By taking advantage of vulnerabilities in backup tools or scripts, such as weak authentication controls, attackers may be able to access the tools and delete backups through them.
  • Breached storage infrastructure: Attackers can potentially exploit vulnerabilities in the operating systems or storage software that host backup data to delete it or encrypt it.

How can banks improve on their threat detection?

In the face of increasing ransomware threats, financial institutions, particularly banks, have no choice but to adopt a comprehensive and proactive approach to securing their systems and data. This goes beyond just having strong firewalls and antivirus software; it requires a multi-layered strategy of regular scans, updates, education and safeguarding –  a critical first step to fully defend against bad actors.

Let’s lay out the initial steps banks can take to fortify their threat assessments:

  •  Regularly Scan and Patch systems: Regularly scanning for vulnerabilities in systems and promptly applying patches is crucial so ransomware can’t exploit known vulnerabilities. This reduces the risk of an attacker being able to infiltrate the system in the first place.
  • Threat Intelligence Sharing: Banks can subscribe to threat intelligence services that provide real-time information about emerging ransomware threats in the industry, tactics, and indicators of compromise (IOCs). By staying updated, banks can be on the lookout had have maximum detection capabilities.
  • Implementing MFA: Multi-factor authentication (MFA), should be implemented for both backup management systems and access to backup data, to ensure that only authorized personnel can make changes or access backup copies.
  • Implement Least Privilege Permissions on Backups: By granting only the necessary access to users and systems, banks can limit the potential impact of an attack, ensuring that backups remain secure and isolated from unauthorized modifications or encryption. This reduces the likelihood that attackers can exploit backup systems.
  • File Integrity Monitoring (FIM): FIM detects unauthorized changes to critical files, which is a common tactic used by ransomware to encrypt or alter data. By continuously monitoring and alerting on any unauthorized modifications, banks can quickly identify potential ransomware attacks before they spread, ensuring that any unexpected file changes are flagged and investigated promptly.
  • Make backups difficult to identify: If backups are poorly labeled (e.g., simply marked as “backup”), they become a prime target for cybercriminals. Attackers may specifically target backup storage, knowing it may contain sensitive customer financial information, transaction logs, or account details. Employ robust naming conventions and encryption for backups to make it more difficult for attackers to distinguish between backup and regular data.
  • Employees must be aware of social engineering tactics: Employees in the banking sector are often targeted by phishing emails or pretexting attacks leading to accidental exposure or compromise of backup data. Make sure your employees understand they can be unwittingly providing attackers with access to backup systems or sensitive information. Financial institutions should conduct phishing simulations and raise awareness about secure backup practices to mitigate this risk.

When it’s too late for threat detection: Best practice for protecting your systems is a Robust Backup Strategy

What’s the most effective way to ensure continuity of operations after an attack? A working, and tested disaster recovery plan.

Unfortunately threat detection can only go so far. As attackers refine their methods, even the most advanced detection systems can, and will, be bypassed. While detecting threats remains essential, it’s even more important that banks have strategies in place to recover to a healthy failover state using clean, updated, off-site backups. Here are some easy-to-implement measures security teams can take to ransomware-proof their systems and perform and complete and immediate full-environmental recovery.

1. Perform regularly scheduled recovery tests: Regular recovery drills and tests are crucial for verifying backup integrity, detecting potential compromises and ensuring all network settings are properly restored for a seamless failover. Choose third party tools that not only automate this process, but produce detailed audit logs to support compliance and strengthen security oversight.

2. Air-gap backups: Air-gapping involves disconnecting backup data from the network to substantially reduce the risk of network-based attacks. This can slightly slow down data restoration, so choose an innovative solution that ensures you can restore from any off-site location or account – immediately – for maximum data protection.

3. Encrypt backups: Encrypting backups can make it harder for attackers to find backups because it prevents them from viewing the contents of the data. File contents are unreadable to anyone who does not have the decryption key.

4. Create multiple copies of backups – cost effectively: Create multiple copies and store each set in a different location. This ensures recovery capability even if one set is compromised.

A challenge, of course, is that your backup storage costs will typically increase. However, using cost saving best practices like storing only the most recent backups in a cold storage tier can help mitigate this. Innovative automation tools make this process seamless and provide other long-term retention cost benefits such as storing incremental backups. This ensures only changes to data are retained. (Tip: most cloud providers store full backups leading to unnecessarily high expenses).

5. Store backups across clouds and across accounts

To increase backup reliability even further, spread backups across multiple accounts and clouds. Your data will remain safe if attackers manage to take over the account that managed your production environment, or one cloud environment is compromised.  For example, if backups are stored in the same cloud account that is also used by operational systems (such as transaction processing or customer data management systems), an attack on the primary systems could compromise both the production data and its backups. Be sure to separate these environments, through network segmentation or cloud-based backup solutions, can mitigate this risk.

6. Create immutable backups: Immutable backups are backup data that is impossible to modify. This both stops attackers from encrypting or deleting backups and protects against the risk that your own employees might accidentally make changes.

7. Use read-only storage: Most storage systems make it possible to store data in read-only mode where the data can be viewed, but not modified.

Read-only storage isn’t a hard guarantee against compromised backups because attackers could potentially find ways to remount the backups in read-write mode. But it does make it that much harder for them to damage backup data.

Conclusion: Ensuring Bank Resilience with Ease

Banks face heightened risks from ransomware attacks, making the protection of both production data and backups essential for maintaining business continuity. By implementing these best practices, financial institutions can bolster their defenses, mitigate the impact of ransomware, and ensure resilience even in the face of increasingly sophisticated cyber threats.

Protecting backup data with N2WS

At N2WS, we empower financial and banking IT teams to not only safeguard their data backups but also provide comprehensive solutions that enhance their’ knowledge and confidence in ensuring robust data security. We achieve this by providing frequent health checks and offering features such as:

  • Regular recovery testing and drills
  • Immutable backups to help prevent tampering with backup data
  • Cross-account and cross-subscription for AWS and Azure off-site compliant, isolated protection
  • Granular access controls to help you define exactly who can do what with your backups.
  • Cost-effective long term storage, making it easy to create multiple copies of your backups and isolate them in a cold tier

See for yourself by requesting a free trial.

Picture of Chris Tozzi

Chris Tozzi

Chris, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.

All Posts
Next step

The easier way to recover cloud workloads

Allowed us to save over $1 million in the management of AWS EBS snapshots...

verified customer
Get a demo
Get ridiculously easy, seriously fast, and highly secure cloud backup & recovery

Try N2W free for 30 days —and get your first policy up and running in ~14 minutes.

  • No commitments. Cancel any time.
ISO compliant badge
AWS Partner Network badge showing our competencies: public sector, outposts ready, marketplace seller, government competency, and storage competency
Product
Solutions
Resources
Company
Support
Legal

© N2W Software, Inc. All rights reserved.

Linkedin-in X-twitter Facebook-f Youtube
Why N2WS?

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

Compare key features
N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.