Recent research has shown that ransomware is not going away. In fact, researchers have warned that the type of cyber-attack in which access to critical systems, information and/or services is withheld until a ransom is paid to the attacker is becoming more sophisticated and targeted.
In an age when so many of the services on which financial institutions rely have become decentralised and provided digitally, the development of “ransomware-as-a-service” is alarming. It is somewhat ironic that there is a parallel with the use by financial services firms of “software-as-a-service”.
As I’ve written before, the first step which should be taken when considering a firm's cybersecurity is ensuring that there is buy-in throughout the business and that the consequences of getting it wrong are fully understood. Only then can effective protective measures be put in place. This is as much the case for ransomware as for any other cyber threat, although the delivery vectors for ransomware often depend on individual action.
But, what can a firm do if, even having taken all possible precautions, it is succumbs to a ransomware attack? Can it pay a ransom to regain access to its systems and continue operating its business? The short answer is although the FCA and National Crime Agency have discouraged ransom payments, strictly as a legal matter it can, provided there is no indication that the ransom would be going to any form of terrorist or sanctioned organisation (which may be why so many ransomware groups prefer to remain anonymous).
The best form of defence will, however, remain defence and the preparation inherent in that. Whilst no firm can ever be certain that it is impenetrable to cyber criminals, making it an unattractively fortified target is probably the next best thing.
Additional reading: Ransomware: should you pay?
The emergence of ransomware-as-a-service offerings is driving more sophisticated strains of ransomware, and while basic cyber hygiene guidance on patching vulnerabilities, storing backups offline and whitelisting applications is still valid, the researchers believe this is far from adequate.