Ransomware Essentials:

A Guide for Financial Services

Firm Defense

October 2024
Introduction

R
ansomware is one of the few threats that f Ransomware mitigation best practices
can truly disable a financial services insti- f Incident response/crisis management
tution. Increasingly innovative, aggressive,
f Considerations on paying ransoms
and frequent, ransomware attacks can disrupt
customer services, halt business operations, and f Resources for further study
damage the institution’s standing with customers
and regulators. Ransomware is on the Rise

This document aims to help the sector address 70% Increase in observed events1
ransomware threats. Using operational insight
from FS-ISAC and its members, it’s particularly Ransomware attacks on the
useful to information technology (IT) profession- 64% financial services sector2
als, those who develop cyber incident response
policies and procedures, and those who coordinate New victims over the last 12
4,374 months3
incident responses. The paper focuses on:

Phases of a Ransomware Attack: Infect and Encrypt, Exfiltrate and Harass

Ransomware is a form of extortion that has devel- Threat actors execute the first phase by gaining
oped into a two-phase attack – first encryption and access to the victim’s computer systems and
data exfiltration, then demands for payment and deploying malicious software (malware) to infect
harassment to speed the ransom payment. the victim’s computers and encrypt their files.

Phase 1 Phase 2

Access Deploy Steal data and issue

systems malware demands

Attack vectors include: > Infect computers > Hold data hostage
> Social engineering > Encrypt files until payment is
> Compromised > Spread malware made
credentials through systems, > Public data release to
> Zero-day exploits drives, and devices increase pressure
> Open network shares > Disable security and > Customer notification
> Remote access backup systems of attack
services > Exfiltrate data
> Public-facing
application and supply
chain vulnerabilities
> Untargeted “drive-by
downloads”

| Ransomware Essentials © FS-ISAC 2024 | 2

 Ransomware-as-a-Service Events | Last 12 Months

30
Some criminal groups build and sell
25
malware to other threat actors, enabling
20
successful attacks by low-skill crimi-
15
nals. Other ransomware groups – like
10
REvil, LockBit, and CL0P – employ
advanced techniques to infiltrate finan- 5
cial institutions, steal sensitive data, 0
O N D J F M A M J J A S
and demand ransoms.
2023 2024

Usually, threat actors attempt to spread the mal-

Ransomware events in the financial sector over the
ware across the financial firm's connected systems,
last 12 months. Source: eCrime Threat and Risk
including shared storage drives and other accessi- Intelligence Services4
ble devices – ransomware is often deployed as a
secondary payload after a device has been com-
promised by other malware. Such malware can be
so destructive that it renders the victim’s systems Despite law enforcement crackdowns, these groups
inoperable. rapidly adapt, using new infrastructure and evolving
tactics and an irregular cadence of attacks.
The top ransomware threats are human-operated
attacks, often facilitated by criminal organizations Many ransomware attacks intertwine financial
that sell initial access or bots as a service. Once motives with geopolitical agendas. Hacktivist groups
threat actors access the network, they move later- like Anonymous Sudan and KillNet, driven by geo-
ally to disable security tools and backup systems. political conflicts like the Russia-Ukraine war, have
These attackers often have extensive knowledge increasingly targeted critical banking infrastructure.
of systems administration and common network
security misconfigurations (GenAI makes them
easier to find), enabling them to perform thorough Proactive Ransomware Defense: Cyber
reconnaissance and adapt to what they discover in Fundamentals, Crisis Management Plans,
a compromised network. and Best Practices Protect Your Firm
The second phase is the exfiltration of data, followed One of the most frustrating – and dangerous –
by a ‘hostage’ demand (also known as Leakware or aspects of a ransomware attack is the loss of
Doxware) in exchange for the encryption key to the access to necessary tools. A compromised firm
data. In a triple extortion attempt, threat actors also may not have access to its SOC or forensics tools.
launch a DDoS attack so the financial firm can’t oper- Systems like email and communications infrastruc-
ate the business. In a quadruple extortion attempt, ture may also be offline or untrustworthy. Therefore,
cybercriminals leak data and contact customers, ransomware incident response plans should include
employees, business partners, media, and even reg- workarounds and the ability to rapidly restore or
ulators to inform them of the data compromise and replace a minimal set of critical capabilities to main-
accelerate the payment. tain operations.

| Ransomware Essentials © FS-ISAC 2024 | 3

Build Cyber Hygiene Fundamentals into 2 Regularly update and patch software
Your Technical Controls > Updates and patches reduce initial infection
As a contribution to the sector’s defense, FS-ISAC potential from both technical and social engi-
recently released Cyber Fundamentals, a risk-based neering attacks.
approach using Defense-in-Depth principles appro- > Where the risk is acceptable, automate patch
priate to any financial services institution at any level management to ensure consistent application
of cyber maturity. Of the Cyber Fundamentals' 16 of updates across all systems, reducing human
recommendations, the following six are the most error and delays.
relevant to ransomware defense.
> If patching is delayed, develop standard processes
to implement mitigation strategies like virtual
Cyber Fundamentals Checklist: patching utilizing a web application firewall (WAF).

3 Use a zero-trust and least privilege policy

1. Isolate, test, and exercise backups with multi-factor authentication, and require
strong passwords for every employee,
device, and account
2. Update software, automate patching
> Implement a zero-trust approach where all
users and devices, inside or outside the network,
3. Require MFAs and strong passwords are authenticated, authorized, and continuously
validated before gaining access to applications
and data.
4. Train employees
> Leverage resources like NIST 800-207 Zero
Trust Architecture to develop your strategy.
5. Write and exercise incident response plan
4 Train employees on their role in cybersecurity

> Conduct regular training sessions to educate

6. Use EDRs, DLPs, and firewalls employees on the latest cybersecurity threats,
including phishing, social engineering, and the
dangers of clicking on unknown links or down-
Use non-erasable and non-modifiable loading unverified attachments. People who
1
backup systems to duplicate data and understand the potential impact of clicking on
system configurations external links or reusing passwords will gener-
ally take more care about their activities.
> Regularly back up critical data and system config-
urations to isolated environments. If segmentation
Develop an incident response plan specific
is in place and backups are preserved, the impact 5
to ransomware attacks
of an attack may be manageable.
> Detail the steps to be taken immediately upon
> Test backups at least annually in real-world tech-
detection, including isolation, communication,
nical exercises to ensure backups can be restored
and recovery procedures.
quickly and completely in the event of an attack.
Cloud computing makes testing and restoration > Conduct regular tabletop exercises and full-scale
easier, but some firms may only be able to test drills to ensure that all team members are famil-
restoration of certain critical functions. A robust iar with the response plan and can act quickly
restoration plan, likely on a separate new infra- and effectively under pressure. Exercises allow
structure, will take a great deal of effort, especially you to review and update plans to adapt to evolv-
in large firms. ing threats and changes in your organization.

| Ransomware Essentials © FS-ISAC 2024 | 4

 6 Implement EDR, DLP, and firewall solutions Next, consider how to respond effectively if an
attack is successful. You will need both a strategic
> Implement Endpoint Detection and Response
crisis management plan and a tactical response
(EDR) solutions. EDR solutions monitor end-
plan. The ISO 2700 is a great framework, as is the
points (computers, servers, mobile devices) for
NIST 2.0 crisis management framework (and it’s the
suspicious activity, and respond to threats in real-
baseline for all FFIEC guidance). That framework
time to disrupt ransomware before it can spread.
helps you plan the essential factors of strategic and
> Implement Data Loss Prevention (DLP) solu- tactical responses.
tions. DLP solutions monitor and control the
movement of sensitive data, helping to prevent As you build out the plan, identify the Incident
exfiltration attempts by cybercriminals. Response (IR) team. It should include functions
from across the organization. All their actions
> Use firewalls, configured closed by default, with
should be driven by the Responsible, Accountable,
active blocking. When deploying firewalls, look
Consulted, Informed (RACI) model.
at internal segmentation as well. One example
is agent-based microsegmentation augmen-
tation of traditional firewalls, which minimizes Strategic Response Framework
the potential impact of encryption malware.
Another key control for exfiltration monitoring
is a SWG/DNS firewall that can detect data Mission statement
being stolen and prevent users from going to
malicious websites.
Strategies and goals
How to Develop and Implement a Crisis
Management Plan
Senior management
Ransomware presents approval (signed off/on)
Crisis Management a unique challenge in
Plan Checklist: that the time between
detection and impact
> Policy on paying Organizational approach
– the flash to bang
ransoms to incident response
– is essentially zero.
> Crisis management Unlike cyber incidents
framework that unfold over weeks,
> Roles and ransomware requires IR team’s communication
responsibilities immediate execution with the firm
of crisis management
plans in real-time, without some of the normal
phases of mitigation. Metrics for incident response
capability and effectiveness
While the technical controls mentioned above are
critical to defending against and responding to a
ransomware attack, process-based capabilities are Roadmap for maturing the inci-
equally important. A crisis management plan must dent response capability
involve the entire leadership team and include a
clear policy on whether to pay the ransom. If your
legal team approves paying, you'll need to have a IR program's role in the overall
contract with a payment negotiator and be prepared organization
to purchase cryptocurrency – most criminals require
ransom payment in crypto.

| Ransomware Essentials © FS-ISAC 2024 | 5

 As you think about the team’s tasks, determine:
Crisis Management Team
f A plan for early detection of malware and post
encryption if the malware is not discovered
> Chief Executive Officer before it executes.
Senior Leadership > Chief Financial Officer
> Board of Directors f A plan to deal with the technical aspects of
encryption and the external impact of data being
released.
> General Counsel f The process and triggers to notify insurance,
> External cyber SME regulators, law enforcement agencies, and exter-
General Counsel advisor nal subject matter experts (PR, forensics, legal).
and Legal/ > Ransomware
f The process and sequence for board, regulatory,
consultants/payment
Risk Management experts employee, and public notifications.
Consultants > Law enforcement f A process for dealing with key vendors impacted
agency (LEA) liaison by the breach or ransomware.
> Cyber insurance liaison
f Third-party management including:
> Vendor breach impact assessment
Communications/ > External cyber > Third-party communication plan
Public Relations incident SME
> RACI for this process
f How to tie the business continuity/disaster
> IT leadership recovery plan to the crisis management plan.
> Call centers, customer f The systems necessary to collect and preserve
service, and related forensic evidence, maintain a chain of evidence,
Operations
functions
and track the sequence of events – remember,
> Business continuity
planning team this is a crime.
f How to collaborate with law enforcement, and
the relationships and processes needed to share
> IR/SOC intelligence.
> Threat intel f Testing/exercises that drive validation. A great
InfoSec > Forensics teams resource to design the threat scenario and build
> External forensics
experts
out the master scenario events list (MSEL) is
the Cybersecurity and Infrastructure Security
Agency's (CISA) Tabletop Exercise Packages. In
any case, testing and exercises should be:
Vendor
Management > Regularly scheduled with documented
> Third-party risk
(lead team if management improvement plans.
ransomware
impacts vendors) > Scenario-based, with drills for the different
types of activities involved with current ran-
somware trends.
> Employee
> Designed to make sure all the steps in the crisis
communications
Human Resources management plan are exercised, whether
> Staff support and
counseling tabletop or technical.

| Ransomware Essentials © FS-ISAC 2024 | 6

Should You Pay the Ransom? The Risks, knowingly pay an entity either designated as a
foreign terrorist organization or that is subject
Regulations, and Factors to Consider to sanctions by the Department of the Treasury.
FS-ISAC does not encourage paying a ransom to
Moreover, federal cybersecurity preparedness
criminal actors. Ransoms fund further criminal
laws require federal agencies to secure their
activities and perpetuate the ransomware business
networks and authorize CISA and the Office
model. However, the decision requires the evaluation
of Personnel Management (OPM) to establish
of all options to protect shareholders, employees,
federal network security requirements. The US
and customers when systems are compromised. It’s
states of Florida, Indiana, Louisiana, North Car-
a serious, individual business decision, so ransom-
olina, and North Dakota require public entities
ware victims should consider the following risks:
to report ransomware incidents. The Computer
f You may or may not regain access to the data. Fraud and Abuse Act (CFAA) can be used to
After paying the originally demanded ransom, prosecute those who perpetrate ransomware
some victims have been asked to pay even more attacks.
to get the promised decryption key. Some individ- > In the UK: The UK has enforced financial sanc-
uals and institutions paid but were never given tions under the cyber sanctions regime since
decryption keys. May 2019, introduced when the UK was part
f You are not protected from future attacks. Some of the European Union (EU). Following the
victims who paid the demand were targeted again. UK’s exit from the EU, the Cyber (Sanctions)
f You may be out of compliance. Laws and regu- (EU Exit) Regulations 2020 (the Regulations)
lations vary across jurisdictions, but many apply were introduced under the Sanctions and
specifically to financial services institutions. In Anti-Money Laundering Act 2018 (SAMLA).6
her book, Digital Empires: The Global Battle to
Regulate Technology,5 Anu Bradford covers three Facilitating a ransomware payment may
overarching approaches to governing the digi- breach UK sectoral sanctions or the law of
tal landscape: market-driven, state-driven, and other jurisdictions. The Foreign, Common-
rights-driven. Examples of state-driven gover- wealth and Development Office (FCDO) has
nance of ransomware responses include: produced guidance on each sanctions regime
that gives details of sectoral sanctions.
> In the US: The US Department of the Trea-
sury's Office of Foreign Assets Control (OFAC) > In Australia: Making or facilitating a ransom-
has imposed sanctions on a number of cyber- ware payment may breach Australian sanctions
criminal threat actors and groups – by paying a laws and result in criminal penalties where such
ransom you may be violating those sanctions. payments are made to persons or entities sub-
Victims who pay ransoms might also be subject ject to Australian autonomous sanctions laws.
to criminal or civil penalties, such as those who

| Ransomware Essentials © FS-ISAC 2024 | 7

References and Further Reading Endnotes

FS-ISAC Cyber Fundamentals 1 Increase in observed ransomware events:

Ransomware and Data Leak Site Report, March
MS-ISAC #StopRansomware Guide 2023 - eCrime.ch

CSBS Ransomware Self-Assessment Tool 2 Ransomware attack increase on the financial

services sector: ABA’s Banking Journal
IC3 reporting and annual security trends
3 New victims over the last 12 months: Orange
UK National Cyber Security Centre Guidance Cyberdefense

Europol tips to prevent ransomware 4 Ransomware attacks in the last 12 months

https://ecrime.ch/
Original report references
5 Anu Bradford: https://scholarship.law.columbia.
Cybersecurity and Infrastructure Security Agency edu/books/367/
(CISA): "Reduce the Risk of Ransomware" Awareness
Campaign 6 UK cyber sanctions regime: https://www.
gov.uk/government/publications/financial-sanc-
Cybersecurity and Infrastructure Security Agency tions-cyber-attacks#:~:text=The%20Cyber%20
(CISA): Ransomware Guide (Sanctions)%20(EU%20Exit)%20Regulations%20
2020%20put,country%20other%20than%20the%20
Cybersecurity and Infrastructure Security Agency UK
(CISA): Stop Ransomware Webinars

Cybersecurity and Infrastructure Security Agency

(CISA): Stop Ransomware Fact Sheet

Cybersecurity and Infrastructure Security Agency

(CISA): Protect your Center from Ransomware

Federal Bureau of Investigation (FBI): Common

Scams and Crimes – Ransomware

Federal Bureau of Investigation (FBI): Ransomware

Prevention and Response for CISOs

Europol: “NoMoreRansom” International Initiative

National Cyber Security Centre (NL): Ransomware

National Cyber Security Centre (UK): Phishing

Attacks: Defending your Organisation

National Cyber Security Centre (UK): Ransomware:

What Board Members Should Know About
Ransomware

National Cyber Security Centre (UK): Mitigating

Malware and Ransomware

| Ransomware Essentials © FS-ISAC 2024 | 8