The London-based fintech company, Finastra, which provides financial software to the global banking sector, has reported suffering a ransomware attack that prompted the company to shut down its servers and caused disruptions to its global operations.
The success of the ransomware attack hints at longstanding weaknesses present in Finastra’s security infrastructure, as well as the increasing prevalence of ransomware among hackers for targeting large corporations.
As it happened: Finastra ransomware attack
On 20 March, sources from two separate United States (US) financial institutions alerted cybersecurity writer Brian Krebs that they had received a notice from Finastra in which they claimed that they expected an “outage” to imminently disrupt key services of the fintech company, especially for North American clients. The notice also pointed out that the cause of the outage had come about as a result of a “potential security breach,” and that the fintech company was in the process of investigating its origins.
Hours after communicating this message to its clients, Finastra released another statement which provided more details as to the nature of the breach, revealing that the fintech company had suffered a ransomware attack as a result of the incident.
“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” the fintech company said in its revised statement on 20 March.
This statement confirmed again by Tom Kilroy, Finastra’s chief operating officer.
“Out of an abundance of caution, we immediately acted to take a number of our servers offline while we continue to investigate,” he said. “We have also informed and are cooperating with the relevant authorities and we are in touch directly with any customers who may be impacted as a result of disrupted service.”
Days later, on 24 March, Finastra updated its clients on the incident further, claiming that “restoration and investigation work continues”.
“Our dedicated teams are doing everything they can to bring systems back to normal,” the company said, pointing out that “the decision to voluntarily take our servers offline on March 20 2020 was not taken lightly.”
“We understood what was at stake and took that step to contain the threat, secure our network and most importantly, protect our customers and their data,” they added. “We are appreciative of the support we have received for these actions.”
In the days since, Finastra has not provided new information in relation to the incident, citing to reporters that the company is continuing its investigation and trying to resolve the issues. The fintech company has, however, since told cybersecurity news site ZDNet that there is no evidence that any of its customer or employee data was accessed or exfiltrated as a result of ransomware attack.
Finastra: a fintech company singled out
A high-profile target for cybercriminals, Finastra claims to be the world’s third largest fintech company, which hosts offices in 42 countries around the world with over 10,000 employees and 9,000 customers. In 2019, the company recorded more than $2 billion in revenue, and its clients include 90 of the top 100 banks globally.
In addition to the company’s standing, Finastra’s attractiveness to hackers also arises out of the fact that its track record in relation to cybersecurity and data protection leaves a lot to be desired.
According to the threat intelligence firm Bad Packets, for example, the fintech company had been running unpatched servers for a long duration of time, leaving its systems increasingly vulnerable to attacks of all kinds, and is potentially responsible for the recent ransomware attack. According to Bad Packets, this was determined by internet-wide scans that were conducted last year.
Bad Packets also points out that Finastra had been running outdated Pulse Secure VPN servers in 2019, and that they were also still running outdated Citrix servers at the begging of this year.
Both of these server technologies are known to have intrinsic vulnerabilities and have suffered cyberattacks for the past months, and are potentially to blame for Finastra’s recent ransware attack.
Ransomware attacks on the rise
What were once considered to be an isolated and niche type of data breach, using a ransomware attack to exploit company security vulnerabilities has recently become an increasingly standard technique among cybercriminals.
According to ZDNet, this trend has occurred as a result of active ransomware gangs taking advantage large amounts of data they obtain from their victims before launching a ransomware attack on their systems. After the attack is carried out, some or all of the stolen data is subsequently published on “victim-shaming sites set up by the ransomware gangs” so that the hackers can “strongarm victim companies” into paying exorbitant ransoms.
Outdated Pulse Secure VPN and Citrix servers could be the reason for Finastra’s recent #ransomware attack. #respectdata
Click to Tweet
“With ransomware, the weapon of choice in a data breach, is with a social engineering phishing scam,” says James McQuiggan, security awareness advocate at KnowBe4. “It’s important for organizations to have a robust security awareness training program to inform employees the techniques used by criminal hackers so they can reduce the risk of an attack when the phishing emails are in their inbox.”