Companies are losing billions of dollars to Data Exfiltration Extortion and ransomware attacks. Fintech industry is one of the hardest-hit. Over the past few months, we have witnessed some of the biggest cyber extortions arising from ransomware and data exfiltration, both inflicting severe damage to key markets, including fintech, IT services, and SaaS. In fact, the latest statistics reveal serious implications of data exfiltration extortion, in times of devastating economic turmoil. In March, a leading fintech company Finastra suffered a ransomware attack, forcing its IT team to immediately take immediate countermeasures to prevent loss of data. However, other victims still feel heavily let down by their IT operations, Infosec, Analytics, and data storage management teams when it comes to answering what data exfiltration extortionists are truly targeting.
Here’s what the industry analysts are reporting on fintech ransomware incidents.
- Google Play Store is one of the many banking malware sources. [ThreatMark]
- 98 of 100 most prominent and well-funded fintech startups are vulnerable to phishing, web, and mobile application security attacks. [ImmuniWeb]
- According to Coveware, Bitcoin is used almost exclusively now in all forms of cyber extortion. The time taken to procure bitcoins to pay the ransom extends the duration to which effects of data exfiltration extortion / ransomware magnifies in the dark data marketplace.
- European Union (EU) mandate for Open Banking, risky techniques employed by companies to gather data, compounded by the delays in the technical implementation of mandated security protocols, have increased cybersecurity threats and broadened the attack surfaces for these institutions. [Trend Micro]
- Mobile Investment Apps are primary targets. Not all apps are using MFA and encryption modules to secure user data, inviting CTAs to attack them. [Kaspersky]
- Small banks and fintech firms bought by bigger organizations are at a heightened level of risk because of two reasons: first, these banks are still developing the best cybersecurity model. Secondly, these banks are among those organizations that are more likely to pay a ransom than accept the loss of data. [Kaspersky]
- CTAs based in China and Russia are top sources of concern when it comes to inflicting a devastating nation-state attack. [Crowdstrike]
As announced earlier, Finastra teams learned of potentially anomalous activity on our systems. Statement here as we continue to investigate: https://t.co/SQZKBNSR6C
— Finastra (@FinastraFS) March 20, 2020
This is not the only attack targeting fintech firms. Mastercard, MobiKwik, and others have suffered some or the other form of data exfiltration incidents in 2021.
According to a recent Crowdstrike report, 56 percent of the senior ITDMs and IT security professionals accepted in the survey their organizations suffered at least one critical ransomware attack in the last 12 months. Organizations paid an average of $1.1 million to get their data off the ransomware net. If that was not enough, many companies even fell victims to a double extortion ransomware attack within a span of few weeks of the first attack.
What is Data Exfiltration Extortion and How it Affects an Organization?
Like ransomware, Data Exfiltration Extortion is now among the fastest-growing cybercrimes. Backed by the rise of crypto, AI and Machine Learning capabilities falling into the hands of criminals, ransomware attacks have become one of the most damaging types of cybercrimes in recent months. Despite the volume of loss to data thefts and data exfiltration extortion, it is visibly hard to convince senior IT professionals to take cyber crimes seriously and amp up the existing firewalls and data management / security policies.
Any ransomware attack leaves two major hurdles for a financial organization. These are based on the severity of the attack, duration, and the extent of data loss. The severity of the attack is calculated based on the financial costs incurred due to the ransomware (ransom payment + cost of IT Security remediation) and branding communications. The cost of third-party claims is also included in this bracket.
To better plan against the cyber threats, it’s important to define the nature, scope and extent to which data exfiltration extortion impact high-growth data-powered businesses, like fintech.
What is Data Exfiltration Extortion?
To understand data exfiltration extortion, it is important to define ‘what is data exfiltration?’
Data Exfiltration is a highly unethical, but sophisticated type of data theft perpetrated by cyber threat actors (CTAs) using existing communication channels ( emails, SMS, social media messages), unauthorized downloading / uploading devices, unsecured Cloud assets, and Virtual Machines (VMs).
Data Exfiltration Extortion occurs when the CTAs steal critical information from your machines by infecting your system with ransomware infections. Usual forms of attack vectors include a phishing email or internal personnel pushing a thumb drive to upload a virus. The vectors infect the unsecured Remote Desktop Protocol (RDP).
What is RDP?
CIS provides a very simple explanation on RDP. According to CIS, “RDP provides network access for a remote user over an encrypted channel. Network administrators use RDP to diagnose issues, log in to servers, and to perform other remote actions. Remote users use RDP to log into the organization’s network to access email and files.”
If your RDP is compromised, your systems will be left vulnerable for CTAs to exploit the network and extract data for exfiltration and encryption.
The various types of exfiltration processes are listed as below:
- Automated Exfiltration (T1020)
- Data Transfer Size Limits (T1030)
- Exfiltration Over Alternative Protocol (T1048)
- Exfiltration Over C2 Channel (T1041)
- Exfiltration Over Other Network Medium (T1011)
- Exfiltration Over Physical Medium (T1052)
- Exfiltration Over Web Service (T1567)
- Scheduled Transfer (T1029)
- Transfer Data to Cloud Account (T1537)
Clearly, modern banking and financial services companies are highly susceptible to falling prey to these types of exfiltration.
Data Exfiltration could be effected using an infected machine to server; through unencrypted network protocols or by encoding data using established communication channels without being detected by existing security firewalls.
A majority of exfiltration of data also occurs through USBs, Bluetooth, and cellular data over legitimate web services or browsers.
Suspicious network connections, VMs, and cloud environments have become a source of advanced data exfiltration extortion events.
What Happens When Data is Exfiltrated?
Once data is encrypted after exfiltration, the CTAs ask for ransomware using a virtual display message. The victim has these options:
- Report the ransomware attack to the FBI or Interpol
- Pay the ransom and hope the CTAs would return the data back to the victim
- Upgrade their existing cybersecurity framework, hoping the data wouldn’t be marketed to dark data
- Prepare for the second data exfiltration extortion event
How Many Data Exfiltration Extortions were Reported in 2020?
According to the FBI’s Internet Crime Complaint Center, the authorities received close to 2500 ransomware complaints. It is hard to evaluate or report how many of these attacks were actually investigated as a case of corporate or financial data exfiltration extortion. According to Cybersecurity Ventures, the surge of ransomware attacks is inevitable in 2021. In 2021, there will be a ransomware attack every second
It is clear that healthcare and education services providers are the easiest targets for CTAs to exfiltrate data. But, in recent times, fintech firms too have fallen victims. A majority of these incidents either go unreported or are managed extremely well by the corporate communications team to avoid backlash from VCs, regulators, and customers.
According to BCG’s report, financial services firms are 300 times as likely as any other company to be targeted by CTAs. For fintech firms, banks and wealth managers face a daunting task in dealing with these attacks, especially when the consequences carry a huge cost of recovery and risk assessment when compared to any other industry. Most fintech firms are still ‘ill-equipped’ in thwarting these attacks with predictive measures, information security and cyber resilience.
List of Ransomware Variants that Work using Exfiltration
- Emotet + TrickBot + Ryuk
In the COVID-19 era, the fintech sector faces a far serious challenge against ransomware than any other data-intensive industry. Using next-gen AIOps, predictive intelligence, and modernized IT Cloud architecture with zero-trust frameworks can secure fintech firms from common ransomware and data exfiltration extortion vectors. As Crwodstrike points out, most companies across domains (including fintech) have spent at least $1 million on digital transformation and security transformation.