Case Studies

Defending a Financial Institution Against a Ransomware Attack

Introduction

In 2020, a top-tier European financial institution experienced a ransomware attack, similar to those affecting companies worldwide, including the infamous NotPetya and
WannaCry. With millions of sensitive financial records at risk, the bank partnered with a cybersecurity firm to strengthen its ransomware defenses and improve response
mechanisms.

Background & Context

• Industry: Financial Services (Retail Banking, Investment Banking, Wealth Management)
• Annual Revenue: $10 billion+
• Employees: 50,000+
• Key Cybersecurity Concerns: Protection of financial data, prevention of operational disruption, compliance with regulatory frameworks (GDPR, PSD2).

Challenges

The institution’s security posture before the attack revealed significant vulnerabilities:

1. Outdated Software: Critical systems were running on legacy infrastructure, with unpatched software versions making them vulnerable to exploitation.
2. Weak Endpoint Security: There was a lack of centralized endpoint detection and response (EDR) mechanisms, leaving endpoint devices (e.g., employee workstations) open to attack.
3. Lack of Phishing Training: Social engineering through phishing emails was the primary vector of attack, as staff lacked training on how to identify and avoid phishing schemes.

The Ransomware Attack

• Incident: Attackers used a phishing email to infiltrate the organization’s systems. Once inside, they installed malware that encrypted critical files across the network and demanded a ransom of $5 million in Bitcoin to release the decryption key.
• Impact: Several systems were shut down, and financial operations were halted for 24 hours, costing the institution over $1 million in downtime and reputational damage.

Solutions Implemented

To prevent future incidents, the financial institution worked with its cybersecurity partner
to implement the following:

1. Advanced Threat Detection and Response:
   o A Security Information and Event Management (SIEM) system was installed to centralize the collection, analysis, and reporting of log data from across the organization.
   o Artificial Intelligence (AI)-Driven Threat Detection: Machine learning models were deployed to detect and flag abnormal activity on the network in real time, reducing the detection window from days to minutes.
2. Endpoint Detection and Response (EDR):
   o EDR tools like CrowdStrike and SentinelOne were deployed to continuously monitor endpoints, detect threats, and automate responses (e.g., isolating infected devices).
   o Behavioral Monitoring: EDR tools used AI to identify suspicious patterns (e.g., encryption of large volumes of files), allowing the IT team to react before files could be fully encrypted.
3. Backup and Recovery Solutions:
   o Immutable Backups: Implemented a system where backups were immutable (i.e., they couldn’t be altered or deleted by malware). This enabled the bank to restore encrypted data quickly without paying the ransom.
   o Air-Gapped Backup Systems: Critical data backups were stored in a secure, offline environment to prevent the malware from accessing or encrypting them.
4. Phishing Awareness Training:
   o Interactive Employee Training Programs: Employees underwent cybersecurity awareness programs to recognize phishing attempts and report suspicious emails. Phishing simulations were regularly conducted to test employees’ vigilance.
   o Email Filtering Enhancements: Anti-phishing filters were strengthened using tools like Proofpoint, blocking malicious links and attachments before they reached employee inboxes.
5. 24/7 Security Operations Center (SOC):
   o The institution set up a dedicated Security Operations Center that monitored all systems continuously, providing immediate responses to alerts triggered by the SIEM and EDR systems.

Outcomes

• 99% Reduction in Attack Surface: Post-implementation, the financial institution saw a dramatic reduction in its vulnerability to attacks, with no further ransomware incidents reported.
• 50% Faster Incident Response: The SIEM and SOC allowed for rapididentification of threats, with the response time dropping from an average of 6 hours to under 30 minutes.
• Zero Ransom Payments: Because of the effective backup solutions, the institution avoided paying the ransom and was able to fully restore operations within 24 hours.
• Regulatory Compliance: The new systems ensured the bank was fully compliant with GDPR and PSD2 regulations, preventing potential fines that could have followed from the data breach.’

Real Life Example

Maersk and NotPetya: In 2017, Maersk was hit by the NotPetya ransomware, leading to a global shutdown of its systems. However, because of an air-gapped backup in Nigeria, the company restored its data without paying any ransom, illustrating the importance of secure backups.