The Russian-based ransomware group dubbed TA505 has been around for at least half a dozen years, perpetrating massive email attacks against various industries around the world. Now, it appears, it is the financial industry’s turn.
After reportedly fine-tuning its signature malware and scripting languages, the group has had North American banks, credit unions and other financial services firms in its sights since last month. Targeting various institutions with an email phishing campaign dubbed "MirrorBlast," users are directed to a fraudulent site where FSI employees may accidentally download malware onto their corporate computers or other devices.
Ivan Tsarynny, CEO and co-founder of Toronto-based Feroot, a client-side security vendor, pointed out that while financial services institutions have long been “under siege by cybercriminals," these enterprises typically have the most “advanced cybersecurity programs, practices and teams deployed.”
“FSIs are much better prepared than most other types of businesses to thwart ransomware attacks,” he said. "This means lots of internal cybersecurity training, strong passwords, enterprise-wide multi-factor authentication, well-defined vulnerability and patch management strategies, and more. Ransomware is one of dozens of attack vectors.”
Still, TA505, which has been dormant for a while, is a sleeping giant that is not to be trifled with. It is believed to have caused more than $100 million in losses over the past few years, according to the U.S. Treasury Department. (In December 2019, the U.S. Department of Justice even issued sanctions against some reputed members of TA505, in the face of malware threats they already posed.) And it’s not just U.S. FSIs under fire, but also financial firms in Canada, Europe and Asia, according to a recent report from cybersecurity vendor Morphisec.
However, to really make an impact, ransomware attacks must hit the server, and yet attacks like these tend to come in through the client side, according to Tsarynny. “Cybercriminals are finding they can easily deploy malicious third-party JavaScript on FSI web applications and web pages, and can skim user data,” he said. “Criminals don't have to use traditional server-side attacks like phishing or ransomware attacks to collect FSI customer data. They can skim the information from banking websites and web applications from the user's browser.”
And, no matter how ransomware threats are worked out, for FSIs in particular, the concern over these kinds of security compromises also encompasses compliance and privacy concerns. The European Union’s precedent-setting General Data Protection Regulation [GDPR], implemented three years ago, has set the standard that many U.S. states, as well as other countries, have followed in terms of laying down the law for the protection of customer data by companies.
If a ransomware threat like that posed by TA505 impacts customers in a state where they have instituted more aggressive privacy laws, what then?
“All it takes is one frustrated FSI customer who is a European national to make a complaint to launch a GDPR investigation,” said Tsarynny, pointing out that the minimum 20 million euro fine, or 4% of annual turnover, is just a fraction of the cost to ”the FSI if data is ultimately stolen during a ransomware.”
Indeed, an FSI might need to bear litigation costs, incident response costs, lost customers and the financial damage of a tarnished brand.
"A ransomware or client-side attack might drive customers to switch in droves,” suggested Tsarynny.
And, while ransomware is increasingly pervasive, it is only one of many growing attack vectors against FSIs.
“Banks are woefully unprepared to deal with client-side threats,” said Tsarynny. “If a criminal is able to deploy a keylogger script on a bank's website, they can capture usernames and passwords, and then can control the FSI customer's bank account. Criminals can make a quick buck without much effort.”