Remote work gives ransomware hackers a new line of attack

Register now

The move to a more distributed workforce has brought many blessings and is likely to become normal within financial services and payments. However, when it comes to addressing the challenges of the "human attack surface," prevention is better than the cure or submitting to double extortion attempts.

2020 has been transformational to the way we live and work. And those changes to our working patterns must not be underestimated in terms of changing cyber risk, including how we protect ourselves against ransomware, which is making another resurgence —
particularly in targeted attacks from highly organized hacker groups.

When authorities first advised people to stay home during the pandemic, many organizations’ infrastructure, cloud and security teams swung into action to accommodate remote work across the entire workforce, with thousands of employees and contractors connecting through their ordinary enterprise identities and permissions via VPN, remote desktops and cloud access security brokers, or CASBs.

The ability of these teams demonstrated with their businesses and the flexibility they showed in modifying long-established working practices was remarkable. Many financial institutions, in particular, are considering a more distributed workforce to provide resilience, agility, and a far broader reach in the battle for talent.

However, this change has impacted the attack surface of financial institutions in a less obvious manner that is reflected in an uptick in targeted ransomware campaigns. To understand what is happening, we need to consider the human aspect.

We know hacker teams leveraging ransomware are highly aware of the way that human behavior can make an attack more successful as evidenced by the high proportion of ransom triggers (the final stage of the attack) being launched on weekends when staff are least able to respond. Ransomware is not just about the technology, but also about deployment tactics.

Let’s think about how the threat model changes for a financial institution with a newly distributed workforce. Instead of accessing a firm’s critical systems and customer data from a small number of secure corporate offices, the attack surface now extends to the private residences of thousands of employees.

Putting aside the network and endpoint security challenges, we need to think about the differences between the focus we observed in the workplace compared with our lives at home surrounded by our loved ones, social media and constant news about the developing pandemic and economic situation.

In such a scenario, the human attack surface extends to employees who aren’t necessarily in the same state of mind as they would be at the office where focus can be more intense and the atmosphere more professional. And this change in the human attack surface is what hacker groups are targeting with phishing emails that constitute the initial penetration phase of the ransomware attack. They are relying on a momentary lack of focus in order to begin a successful attack, which is all they require.

Financial institutions in particular are addressing this challenge in two major ways. Since this is a people problem, there is a need to develop better home working practices and ensure they are shared across the organization.

Practices such as drawing boundaries between personal and professional are vital in this respect, for example ensuring that employees do not begin to conduct personal business on company email accounts.

Next, organizations are adopting methods to ensure that employees’ relationships to critical company systems are better understood and permissions reduced using the principles of least privilege.

Identity and access management has long been a general weakness within financial services, which was accepted due to the complexities involved in managing access over time. In a world where the attack surface is now extended to thousands of homes, we require better visibility, governance and relationship management to reduce the paths through which malware can propagate to our critical systems and datastores.

For reprint and licensing requests for this article, click here.
Payment fraud Risk Ransomware Payment processing