The London based financial technology firm Finastra became the victim of a ransomware attack in mid-March. The attackers took advantage of longstanding weaknesses in Finastra’s security infrastructure. Finastra was back online relatively quickly without having payed the ransom.
How Did it Happen
Finastra is a London based fintech firm with offices in 42 countries worldwide and over 10,000 employees. Its more than 9,000 clients include 90 of the top 100 banks globally. However, despite their size, Finastra had been carrying known cybersecurity and data protection risks for some time before the attack.
Last year, Bad Packets, a threat intelligence firm, conducted an internet-wide scan, which highlight several vulnerabilities at Finastra. According to Bad Packets, Finastra had been running unpatched servers for a considerable period of time. They also found that Finastra was still running outdated Pulse Secure VPN and Citrix servers. At the beginning of this year, Bad Packets reported that Finastra was still running four outdated Citrix servers.
Both the above-mentioned servers have documented vulnerabilities that have been taken advantage of by hackers in the past. These weaknesses in Finastra’s security infrastructure could potentially have been to blame for Fianstra’s recent ransomware attack.
Why weren’t the vulnerabilities repaired?
A person familiar with the investigations undertaken at Finastra after the attack spoke to Bloomberg Businessweek earlier in the week. The person told the publication that Finastra’s security team had recommended fixing the vulnerabilities to management some time ago. However, management decided not to go ahead with repairing the vulnerabilities amid concerns the changes would cause disruptions in older applications.
How Was the Attack Perpetrated?
Attackers gained access to Finastra’s systems by capturing employee passwords and installing backdoors in dozens of the firm’s critical servers. Attackers then used pre-existing vulnerabilities to allow them to move around the firm’s network. The attack went undetected for three days but eventually unusual activity on Finastra’s cloud servers alerted the security team of possible issues.
On the same day Finastra put out a statement that read: “We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers. As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”
The security team discovered that attackers had begun infecting the firm’s network with the Ryuk ransomware. Consequently, it was decided to take all infected servers offline to stop its spread. Tom Kilroy, Finastra’s chief operating officer, later put out a statement which said: “Out of an abundance of caution, we immediately acted to take a number of our servers offline while we continue to investigate. We have also informed and are cooperating with the relevant authorities and we are in touch directly with any customers who may be impacted as a result of disrupted service.” Finastra also stated that they hadn’t found “any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted.”
Finastra Pays No Ransom
Since Finastra became aware of the attack relatively quickly, it was able to identify and isolate potentially infected servers. This contained the attack to a limited number of servers, which were then quickly taken offline. Next, Finastra disinfected all offline servers of malware wherever possible and rebuilt the others from backups.
These quick actions allowed the firm to bring key services back online within days without paying the ransom. “We retained control of our network through the action that we took in taking our servers offline, and our ability to resume operations in a relatively short space of time reflects that,” a company spokesperson told Bloomberg Businessweek. Other organizations, such as Maastricht University, Travelex and the City of New Orleans, have taken weeks to come back online.
By shutting down essential services instead of paying the ransom, Finastra absorbed one type of cost to avoid another, potentially more severe cost. “Paying the ransom,” the spokesperson went on to say, “just makes you a bigger target for next time.”