Financial services and insurance industry bombarded with ransomware

“For insurance companies specifically, we saw a 13% increase in ransomware attacks in the first quarter,” said Crane Hassold, director of threat intelligence at Abnormal Security. (Credit: FBI Cyber ​​Division)

The first quarter of 2022 ended with a 25% drop in the total number of ransomware attacks compared to the previous quarter, according to Abnormal Security Corp. However, the financial services sector, including insurance, did not experience such relief as the whole sector. saw attacks increase 35% quarter-over-quarter and 75% year-over-year.

Insurers saw a 13% increase in ransomware attacks in the first quarter, according to Crane Hassold, director of threat intelligence at Abnormal Security,” who told PropertyCasualty360.com that the financial services sector was the only industry to see a sharp increase in overall ransomware attacks. in the first quarter of 2022.

While insurers saw an increase in attacks, accounting for 10% of ransomware incidents during the period, manufacturers continued to be the most targeted by ransomware, attracting 25% of attacks, according to Abnormal Security.

Retail and wholesale saw the biggest drop in ransomware attacks during the period, down 52% from the previous quarter.

LockBit loves insurers

Abnormal Security reported that LockBit, a ransomware-as-a-service (RaaS) affiliate, has focused more on the financial services industry in general, and smaller accounting and insurance companies in particular. Hassold explains that this is because small businesses typically lack the capital to invest robustly in cybersecurity, making them easier to exploit and more attractive targets for cybercriminals.

“Small organizations are also attractive targets for other types of attacks such as financial supply chain compromise, where small businesses are exploited first in an effort to attack large customers,” says- he, adding, “Most ransomware attacks today are delivered indirectly by compromising an organization’s network with malware.

Coveware, Inc., a ransomware remediation firm, reported that phishing is the most common attack vector targeted by LockBit, followed by software/hardware vulnerabilities and remote desktop protocol, respectively.

“Once an organization’s network is compromised, threat actors will leverage the initial access to remotely deploy ransomware,” Abnormal Security’s Hassold said. “The single most important step organizations can take to protect against ransomware today is to ensure that this initial compromise does not occur.”

Earlier this year, the FBI’s Cyber ​​Division issued a flash bulletin regarding LockBit 2.0, an update to RaaS, which noted that these attacks are difficult to defend against due to the wide variety of tactics, techniques and procedures they involve. employ. However, the bureau offered some tips to mitigate the risks of LockBit 2.0:

  • Require that all accounts with password logins (for example, service account, administrator accounts, and domain administrator accounts) have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on any system that an adversary may gain access to. Devices with local administrative accounts should implement a password policy that requires strong and unique passwords for each individual administrative account.
  • Require multi-factor authentication for all services wherever possible, especially for webmail, virtual private networks, and accounts that access critical systems.
  • Keep all operating systems and software up to date. Prioritize fixing known exploited vulnerabilities. Timely patching is one of the most effective and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, limit privileges to only necessary services or user accounts and perform continuous monitoring for abnormal activity.
  • Use a host-based firewall to only allow connections to administrative shares through server message blocking from a limited set of administrative machines.
  • Enable protected files in Windows operating system to prevent unauthorized modification of critical files.

Leave a Comment