02/03/2024 12:09 AM

Tartufocracia

Be life confident

How Finastra survived a ransomware attack without paying ransom

When hackers silently forced their way into the computer network Finastra in mid-March, the company was focused on developing emergency plans for operating amid the emerging COVID-19 coronavirus pandemic. Moving with precision and speed, they captured employee passwords and installed backdoors in dozens of servers in critical parts of Finastra’s network.

ransomware attack

How Finastra survived a ransomware attack without paying ransom

Although hardly a household name, Finastra Group Holdings is an essential part of the global financial system, its software and services running everything from banks’ websites to the back-office systems they use to manage their own money. Its more than 8,500 customers include 90 of the world’s 100 largest banks.

For three days, the attack went unnoticed. But the hackers’ activity on one of Finastra’s cloud servers set off a tripwire that alerted the company’s security team and triggered a destructive finale to the intrusion. On March 20, the hackers – apparently aware they were being hunted – began detonating a potent strain of ransomware called Ryuk.

As the malware quickly spread, locking up server after server, Finastra’s information security team evaluated its dwindling options before settling on the nuclear one: The company pulled all potentially infected servers offline. First, hundreds, then thousands, came down. The attack ground to a halt – as did critical parts of Finastra’s business. In an instant, services for many of Finastra’s customers went dark.

The inside story of Finastra’s breach – which Bloomberg Businessweek reconstructed through dozens of internal documents provided by a person close to investigations conducted by Finastra and a security firm it hired – show the vulnerabilities companies are facing as they grapple with depleted resources and scattered workforces, as well as the increasingly aggressive hacking groups eager to exploit them.

“We believe the attack came deliberately whilst we focused on moving the majority of our global workforce, including several thousands of our colleagues in the Americas, to safer work from home processes in light of COVID-19,” says Simon Paris, Chief Executive Officer, Finastra.

Finastra declined to comment on several specific questions about the hack, its response, and the subsequent investigations. “We retained control of our network through the action that we took in taking our servers offline, and our ability to resume operations in a relatively short space of time reflects that,” says a company spokesperson. The breach was previously reported by KrebsonSecurity.com, an investigative journalism site that focuses on cybercrime.

Ransomware attacks have been growing in recent years against all types of government agencies and businesses, including school districts, doctors’ offices, and multinational corporations. But the COVID-19 pandemic has presented hackers with a once-in-a-generation opportunity to strike vulnerable targets as entire offices are working from home and information-technology staff are stretched thin. The Ryuk strain of ransomware was created by a Russian organised crime ring that cybersecurity researchers have dubbed Wizard Spider.

Eric Friedberg, co-president of Aon Plc’s Stroz Friedberg incident response firm, which wasn’t involved in the Finastra incident, says that since January, the time between attackers gaining access to a network and deploying ransomware has dropped from weeks or months to from 2 to 10 days. He says the accelerated pace has slashed the time victims have to detect intrusions and decide how to respond, maximising the hackers’ leverage.

Finastra had one advantage, though: It learned about the breach fast, after its security team was alerted to unusual activity on a Finastra server hosted in a Microsoft cloud, according to a detailed timeline of events prepared by investigators. This was the tripwire that alerted Finastra that it had a bigger problem. The company found that the hackers had installed malware on dozens of critical servers known as domain controllers. That meant they had power over large banks of subordinate servers and the data on them, according to a spreadsheet of infected servers also prepared by investigators.

Source Article