Bracing for State-Sponsored Ransomware and Cyberthreats in a World of Conflict

New ransomware and cyberthreats are being unleashed on the financial sector, and global events happening right now have dramatically increased the probability of cyberattack.

As a new war rages in Ukraine, the Conti ransomware gang, and Russia’s Internet Research Agency, have declared support for Putin’s invasion and vowed to retaliate against computing infrastructure in the U.S. and Europe if Russia is hit with cyber incursions. As governments ramp up financial pressure on Russian institutions and elites, sanctions are likely to prompt a cyber-offensive against financial entities in the West.

Already Ukrainian banks Privatbank and Oschadbank, have been targeted by state-sponsored attacks meant to disrupt critical services and infrastructure. Wiper viruses, capable of destroying data and disabling entire systems, were discovered on hundreds of computers in Ukraine in recent days.

Russian hackers are infamously effective, along with those from other rogue nations intent to cause chaos in the global-spanning financial sector. Typically aimed at monetary gain, cyberattacks are increasingly meant to cripple banks and their customers, misdirect resources, and make data permanently inaccessible.

Federal Reserve chairman Jerome Powell said in December that a cyberattack could inflict “significant financial stability risk that we haven’t actually faced yet,” should it take down a major institution or financial utility.

Data observability and threat detection
Despite the warnings, threats continue to catch financial firms off guard, and many still do not have adequate plans in place to survive and recover. Biden administration officials introduced last month a “Shields Up” initiative to further protect essential financial services. They said organizations should step up their ability to detect unusual network behavior and anomalous data consumption or access patterns.

Alert services are now considered table stakes in cloud-based and on-premises data management systems. They provide scheduled reporting and real-time custom warnings on user activity, data movement and cloud connectivity, allowing administrators to see what is happening at a glance.

Additionally, financial institutions should consider capabilities for reporting on node performance in software-defined storage. Real-time notifications about anomalous behavior within a global file system, for example, offer instant visibility into changes in data consumption patterns.

SaaS data management capabilities, which can be offered as an overlay to existing global file systems, provide a unified view of data in the cloud and on-premises. Automated alerting, search, audit, and file analytics deliver key observability, and can also assist with file restoration by helping administrators quickly find and recover affected data at massive scale.

Immutable data architectures
While detection and response to check for anomalistic activity is a first order of protection, once the boundaries of a network are breached, additional safeguards and security frameworks are needed. Banking and financial services organizations need to be prepared for unpredictable situations that cross the bounds of what cybersecurity vendors have considered–especially with the current increased threat, which is not intended to extort victims, but instead to paralyze infrastructure and diminish faith in banking and government services.

Making data impervious to ransomware and other malware variants, by storing it in an immutable form–that is “write once read many” or WORM–has emerged as an important bulwark.

In response to data protection mandates like the EU's strict General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the latest Markets in Financial Instruments Directive (MiFID II), technology is already being employed to ensure the lifeblood data of finance and capital operations can be unalterably stored and audited in perpetuity. The goal has been to protect PII while also staunching market and trading abuses that have beleaguered the sector.

That same immutability is also vital to protecting data from hackers. Once data is in a cloud object store, using a global file type system, an immutable architecture guarantees it cannot be changed, overwritten, or damaged. An effective approach is for file changes to be written as new data blocks which have no effect on existing data. When file “pointers” are configured to record which blocks comprise a file at any given time, data is made incorruptible.

File restoration and recovery tactics
Regardless of which technological approach is used by financial institutions, one question remains. What if malicious code is inserted into a network and data is taken down, held hostage, or otherwise corrupted?

In this emerging space, many fit-for-purpose solutions can make it extremely hard to lose data altogether, or at least to greatly minimize data loss. In fact, while legacy concepts of data backup and archival have proven effective, the time and effort required to bring systems back online and restore data from offline repositories is problematic. Business continuity, service-level agreements (SLAs), and the functioning of the financial system itself demands a better approach, with faster time to resolution. 

Utilizing read-only “snapshots” or replicas of data, which ostensibly provide a precise, point-in-time restoration of individual files and even entire cloud storage volumes, has the ability to recover any data. The most advanced data management and global file system technologies also ensure both the replicas and the data itself are immutable, allowing files to be reverted back to previous data blocks that comprise any uninfected files. It is therefore possible to quickly restore data, such as transactions and workflows, at a granular level. 

Checking the box on encryption
Encryption is at the heart of data protection and a robust cyberdefense. The standard bank-level encryption is 256-bit AES, or advanced encryption standard. When applied to data in transit, solutions that address regulatory requirements securely and immutably, also avoid risk because data is never exposed to unauthorized access.

Financial market participants should check that data transmitted to or from the cloud is also encrypted with TLS v1.2 while in flight, preventing access via interception or eavesdropping between cloud services.

Building on this paradigm, AES-256-CBC encryption for data at rest, for example data held in an object store, is also protected from exploitation. Such systems should always be NIST FIPS 140-2 compliant with encryption keys managed by the organization and never stored in the cloud. Hybrid and multi-cloud solutions should include all of these types of native data encryption. 

Contours of a resilient posture
Banking institutions and financial entities should be on high alert. Several weeks ago, in the days leading up to the Russian invasion, multiple Ukrainian websites were struck by hackers that left a warning to "be afraid and expect the worst.” State security services said evidence pointed to hacker groups directed by Russian intelligence.

Both the European Central Bank and the British Financial Conduct Authority are preparing for a possible Russian-sponsored cyberattack as geopolitical tensions grow, contacting financial organizations to warn them of the impending fallout of the conflict.

The White House is also following suit as the standoff between Russia and Ukraine continues to rattle markets, and transform low probabilities into real and present dangers to the global financial system. Authorities have directed banks and financial firms, as well as other organizations that support global financial markets, to take steps now to fortify mission-critical data resources.

While neither governments nor financial entities have been forthcoming with details about security defenses, for obvious reasons, tools that support a strong data framework are within our grasp. Now is the time to adopt a heightened data resiliency and recovery posture.