Ransomware Prevention Best Practices for Banks and Financial Firms

Huseyin Can YUCEEL  By Huseyin Can YUCEEL  •  May 12, 2023


The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


With the development of successful business models, ransomware has become a low-risk and high-reward business for financially motivated cyber threat actors. Considering the valuable assets and data they manage, financial institutions are unsurprisingly attractive targets for ransomware groups. According to Sophos, ransomware attacks against financial institutions increased by 55% last year, and the average cost of remediating the attack was above the global average of USD 1.59 million.

Test your security controls against ransomware

Ransomware Attacks on Financial Institutions

Ransomware attacks cause substantial damage to organizations with business disruption, reputational damage, revenue loss, and unauthorized sensitive information disclosure. Since financial institutions are considered critical infrastructure, ransomware attacks on them affect the public disproportionately. 

Financially motivated ransomware gangs and state-sponsored threat actors continue to come up with sophisticated ransomware campaigns. Although financial institutions are aware of their cybersecurity responsibilities and have security controls in place, they are hit by costly ransomware attacks. According to FS-ISAC, ransomware continues to be a top concern for organizations. Therefore, financial institutions are advised to manage their security operations with ransomware in mind. Since preventing ransomware attacks is much more cost-effective than recovering from one, organizations should follow these best practices for ransomware prevention.

Ransomware Prevention Best Practices for Banks and Financial Firms

1. Reduce Your Attack Surface Against Ransomware Attacks

1.1. Know Your Assets and Associated Risks

NIST defines assets as the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes. Financial institutions manage millions of assets to serve their customers and employees. Each asset has a different level of risk associated with them. While protecting all assets from ransomware attacks is one of the primary goals of security teams, not all assets require the same level of attention and resources. For example, organizations are legally required to securely handle their customers' Personally Identifiable Information (PII) and Protected Health Information (PHI). Therefore, financial institutions should keep and maintain an inventory of their assets and categorize them according to their associated security risks. 

1.2 Assess Your Security Posture Regularly

Financial institutions' security posture is always dynamic, and it should be monitored and maintained continuously. Since any misconfiguration, vulnerable system, or misconduct may result in major disruption of daily operations, regular security posture assessments are vital for secure and uninterrupted operations. Having a well-maintained asset inventory helps these assessments and reduces any potential oversight.

For thorough posture assessments, financial institutions should follow the best practices below.

  • Conduct Regular and Frequent Vulnerability Scanning

Ransomware threat actors often gain access by abusing known and critical vulnerabilities in public-facing technologies. Scanning your assets for these vulnerabilities provides great visibility for your organization's attack surface and allows your security teams to prioritize and mitigate critical vulnerabilities that might lead to ransomware infection.

In December 2021, The notorious ransomware group BlackByte started to abuse Microsoft Exchange ProxyShell vulnerabilities for initial access. Although the vulnerabilities were disclosed in May 2021, many organizations running vulnerable versions fell victim to BlackByte ransomware attacks.

Financial institutions have too many assets, so manually scanning vulnerabilities would be inefficient. Using automated vulnerability scanners is the recommended practice as they allow more swift and frequent vulnerability scans. There are many free, open-source, and commercially available vulnerability scanning tools.

  • Disable Unused Ports and Services

Financial institutions have thousands of hosts and network devices in their networks worldwide, and they use services such as remote desktops, file-sharing services, and many others. While these services greatly help them run their business more efficiently and effectively, ransomware threat actors prey on poorly secured RDP and SMB services to infect and propagate ransomware to victims' network.

In their latest joint advisory, the Financial Crimes Enforcement Network (FinCEN) listed Remote Desktop Protocol (RDP) exploitation (T1133) as an initial access method used by the MedusaLocker ransomware group.

Organizations should identify and disable ports and services that are not used for business purposes to reduce their attack surface. If these ports and services are required for business operations, organizations should use them with additional security measures such as multi-factor authentication, account lockouts, and regular audits.

  • Validate Security Controls

Financial institutions have multiple security controls in their inventory and use them to defend against cyberattacks, including ransomware attacks, every day. However, security controls do not perform best when in their default configuration. They need to be configured to address the security needs of the organization for optimal performance.

In September 2022, CISA recommended organizations adopt automated security control validation to protect against Advanced Persistent Threat (APT) actors using ransomware.

Financial institutions are recommended to validate their security controls against threat behavior shown by ransomware variants. This method helps organizations measure the effectiveness of their controls and identify gaps in their security posture.

1.3. Mitigate Identified Gaps in Your Security Posture

Security assessment provides visibility to organizations on their security gaps and the risks associated with these gaps. The next logical step for organizations is to prioritize and mitigate identified security gaps before ransomware threat actors exploit them. Mitigating critical severity and newly discovered vulnerabilities requires immediate attention because sophisticated ransomware attackers quickly incorporate them into their attack campaigns.

In March 2023, Magniber ransomware was observed to use a zero-day vulnerability (CVE-2023-24880) discovered in February 2023. The vulnerability allowed the Magniber group to bypass Windows SmartScreen without raising an alert. 

Reducing the attack surface and maintaining security posture are continuous processes. As these efforts mature with frequent security assessments, financial organizations become more resilient against ransomware attacks and keep their operation safe.

2. Raise Awareness Against Ransomware

Unfortunately, ransomware attacks are prevalent and will be here to stay as a business risk for a long time. Even if your organization manages to have a reduced and managed attack surface, adversaries always come up with clever tricks to deceive users to gain access to your network. Since organizations' security also depends on their users, financial institutions are advised to educate their employees, business partners, and customers about ransomware and raise awareness against ransomware attacks. 

2.1 Beware of Phishing Emails and Malicious Links

Ransomware threat actors utilize social engineering attacks to trick legitimate users into causing a cyber security incident, such as revealing sensitive information or installing malicious software. The most common social engineering attack that financial institutions face is phishing attacks.

In phishing attacks, adversaries craft legitimate-looking emails, advertisements, or websites to create a sense of urgency, fear, or curiosity in their targets. Then, the targeted users are led to share confidential data, click on links to malicious websites, or execute malware-laced documents. Depending on the targeted users' permissions, the impact of the incident can be significantly severe.

Phishing was the second most common cause of a breach and also the costliest, averaging USD 4.91 million in breach costs. [IBM - Cost of Data Breach 2022]

To combat phishing campaigns, financial institutions are recommended to implement a cybersecurity awareness program. In this program, users should be trained on how to identify and report suspicious emails, documents, and websites. Since phishing campaigns evolve and adopt new techniques over time, security teams are advised to run mock-phishing tests to gauge user awareness regularly.

3. Implement Security Policies Against Ransomware Attacks

Many financial institutions are mandated to create and implement security policies by national and international regulations. These security policies describe what organizations should do before, during, and after a ransomware attack. Therefore, they play an essential role in ransomware prevention. Knowing, writing down, and practicing what to do before an attack reduces the risk that stems from ransomware.

3.1 Implement Secure Password Policies

Every day, users enter several different passwords to log into their business accounts and personal devices. Since it is hard to memorize complex passwords, users, unfortunately, use simple passwords or the same passwords for different services. Ransomware threat actors abuse these weak password practices and gain control of users' valid accounts. To prevent this, financial institutions are advised to implement secure password policies to prevent ransomware attackers.

While organizations may have different approaches, secure password policies often share similar traits. Here are some of the common best practices for password policies recommended by Microsoft.

  • Password length should be 14 characters minimum. Longer passwords are more resilient to brute-force attacks.
  • Create a password blacklist and ban common passwords. Common and default passwords are easily predicted by adversaries.
  • Educate users not to reuse passwords. Password reuse increases the likelihood of password compromise.
  • Turn on multi-factor authentication whenever possible.

3.2. Regularly Back Up Data

Ransomware attacks' main objective is to encrypt sensitive information, which results in the disruption of business operations. Having a comprehensive backup policy enables financial institutions to restore their operations with minimal impact. When backing up data, organizations should consider the following practices.

  • Adopt the 3-2-1 rule to your backup strategy. Organizations should make three copies; primary data, on-site backup, and off-site backup.
  • Keep your backup encrypted. Unencrypted backups pose a security risk.
  • Backup data regularly.
  • Ensure that critical data is covered in the backup plans.
  • Validate your backups regularly.

3.3. Prepare Incident Response and Business Continuity Plans

Even if financial organizations do their best to prevent ransomware attacks, the risk of ransomware infection cannot be fully eliminated. Therefore, organizations should plan and practice what to do during and after a ransomware attack. Since ransomware is both a security and business risk, organizations should prepare two plans. The first plan should be the "Incident Response Plan", which defines roles and strategies on how to detect, respond and recover from a cyber incident. The other plan should be the "Business Continuity Plan", which describes mechanisms on how business remains operational during and after a cyber incident. These plans should be verified, updated, and practiced regularly. 

Leverage the Security Control Validation Approach to Mitigate Ransomware Risk

Picus Complete Security Validation Platform

The Complete Security Validation Platform enables you to ensure that your prevention and detection systems are up to date and their rules are appropriately configured. It allows for assessing the security stack's performance against ransomware attacks and evaluating how people, processes, and technologies work together against cyber threats. Picus' platform also improves your security posture by providing actionable vendor-agnostic and vendor-specific risk mitigation suggestions.


Ransomware attacks on financial institutions will remain to be a business risk in the near future. While many organizations have fallen victim to ransomware attacks in recent years, ransomware prevention is very much possible with the right precautions and strategies. Financial institutions are advised to follow the best practices given in this article to reduce the risk and impact of ransomware attacks.

  • Reducing attack surface is essential to preventing ransomware attacks.
    • Know your assets and what to protect.
    • Assess and validate your security posture continuously.
    • Mitigate security gaps in your posture proactively.
  • The human element is cybersecurity should not be ignored. Educating your users against ransomware can help your organization immensely.
  • Knowing what to do before, during, and after ransomware attacks is important. Practicing these strategies reduces the impact and cost of ransomware attacks tremendously.

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries