Finastra Incident: A Positive Ransomware Case Study

“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated…”

Links:

• https://krebsonsecurity.com/2020/03/security-breach-disrupts-fintech-firm-finastra/
• https://www.crowdfundinsider.com/2020/03/159107-security-alert-uk-fintech-finastra-experiences-ransomware-attack-takes-some-servers-offline/

Summary:

• Articles authored by Brian Krebs (Krebsonsecurity) and Omar Faridi (Crowdfund Insider).
• Finastra publicly notified detection of a bad actor attempting to deploy malware within their network as part of a ransomware attack.
• The notification was timely, and despite the full scope of the attack not being known, Finastra put out an advisory on March 20th, 2020, with relevant and appropriate information based on the situation at the time.
• Information available to-date would suggest that the attackers had either been detected before the ransomware was executed, or the ransomware was only executed on non business-critical systems:
  • An update by Finastra at 5:21pm on Friday stated that no customer or employee data was accessed or stolen
  • At the same time, internal systems are likely still deemed at-risk and appropriate cautions undertaken: “Our approach has been to temporarily disconnect from the internet the affected servers, both in the USA and elsewhere“
  • This could mean that the “affected servers” are either application servers that faciliate data transfer (e.g financial transactions) which need to be restored, or they are databases that hold sensitive information but on which the ransomware attack failed
• Ransomware attacks are frequent and should be considered inevitable, and as such the most important consideration when protecting against them is how the business reacts.
• Finastra’s security organisation not only seems to have detected the threat in the crucial dwell-time before Ransomware execution (see my previous post), but the security teams response appears tried and thorough, they were ready for this scenario.
• The business responded just as diligently by providing timely and relevant information to the public and more importantly it’s customers and stakeholders.
• At the time of writing Finastra has not released further information beyond a statement informing of the precautions being taken before restoring systems: ” we work closely with our cybersecurity experts to inspect and ensure the integrity of each server in turn. Using this ‘isolation, investigation and containment’ approach will allow us to bring the servers back online as quickly as possible“