This year has seen the most significant number of ransomware attacks on record — from the May shutdown of the Colonial Pipeline with a ransomware demand of $4.4 million to the July attack on IT solutions provider Kaseya that resulted in more than 1,000 companies, including U.S. banks, being held ransom for a $70 million payout.

In many cases, ransomware relies on automated attacks to steal valuable data, Justin Estadt, head of product at SEI IT Services and a 20-plus-year veteran of IT security, told Bank Automation News.

“One-hundred percent, automation is playing a role in how things are committed most of the time, once whatever the technology mechanism is that is going to actually get the ransomware onto a machine or infrastructure,” Estadt said.

Often, cybercriminals use phishing techniques, spoofed websites and other methods to infiltrate a network. Ransomware may remain in a network for three to six months, spreading through it and collecting data, Estadt said.

BAN contacted several digital security experts to learn how financial institutions can defend against ransomware attacks.

Prioritize cybersecurity investment

The ransomware attack on Kaseya shows how important it is to invest in cybersecurity now, said Safi Raza, director of cyber security at risk management software provider Fusion Risk Management.

“Ransomware attacks are only rising in popularity, and cyber criminals are continually looking for new ways to exploit vulnerabilities for their own benefit,” Raza told BAN. “Organizations in the financial services industry must invest in robust cybersecurity programs as part of their risk management and operational resilience strategy — and get ahead of skilled and opportunistic criminals.”

That means creating a strong, security-focused culture at all levels of the organization, he added.

An automated defense is the best offense

Since ransomware often leverages email phishing that targets employees, one automated step that financial institutions can take is to block executables from being downloaded or transferred via email, Estadt said. At the network level, it is important to block uncategorized sites, particularly brand-new URLs or domain names.

“If it’s not categorized at all, why are your business folks trying to get access to it, unless it’s the latest and greatest software? But even then, better to be safe than sorry,” Estadt said. “That’s a very big win from automation on the network side.”

An additional precaution is to monitor at the network layer for combat and control (C2) 2 servers, which are command and control center messages that tell the attacker not only what information is available but how to “remote desktop in and other aspects that would be part of that campaign to allow that compromised to take place,” Estadt said. C2C server messages can be used to launch automated bot attacks as well.

Vet third-party vendors

It is vitally important to vet third-party providers, Barbara Kissner, chief information security officer at fintech Tassat, said. She explained that companies can do this by inspecting SOC 2 reports, an auditing procedure that ensures service providers will securely manage a client’s data.

“Financial institutions should perform in-depth due diligence reviews of their vendors, including close inspection of the SOC 2 reports,” Kissner said. “Vendors should demonstrate strong resiliency strategies and provide their clients with demonstrated proof the ability to recover.”

Understand data flow

IT will struggle to mitigate an attack without understanding how data flows within the organization, said Simon Eyre, chief information security officer and managing director for cybersecurity software and solutions company Drawbridge.

“Data flow analysis within a business is a vital first step to understanding where corporate and personal data is held,” Eyre said. “Without that, controls cannot be applied to mitigate or limit the effectiveness of a ransomware attack.”

That applies to third-party vendors and supply chain partners, which are increasingly under attack, Eyre added. When mapping data flow, layering their access and capabilities onto data flow charts will build a picture of the attack risks within the firm.

It all boils down to practicing “good cyber hygiene,” Raza said.

“Until financial organizations commit to these steps and create third-party risk management plans that incorporate the same level of risk scrutiny for them as internally, these ransomware attacks will continue to run rampant,” Raza warned.