20
Mar 20

Security Breach Disrupts Fintech Firm Finastra

Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. The company’s public statement and notice to customers does not mention the cause of the outage, but their response so far is straight out of the playbook for dealing with ransomware attacks.

London-based Finastra has offices in 42 countries and reported more than $2 billion in revenues last year. The company employs more than 10,000 people and has over 9,000 customers across 130 countries — including nearly all of the top 50 banks globally.

Earlier today, sources at two different U.S. financial institutions forwarded a notice they received from Finastra saying the outage was expected to disrupt certain services, particularly for clients in North America.

“We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers,” reads the notice. “As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”

Update, 5:21 p.m. ET: Finastra has acknowledged that it is battling ransomware.

“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” the company said in a revised statement.

The statement continues:

“Our approach has been to temporarily disconnect from the internet the affected servers, both in the USA and elsewhere, while we work closely with our cybersecurity experts to inspect and ensure the integrity of each server in turn. Using this ‘isolation, investigation and containment’ approach will allow us to bring the servers back online as quickly as possible, with minimum disruption to service, however we are anticipating some disruption to certain services, particularly in North America, whilst we undertake this task. Our priority is ensuring the integrity of the servers before we bring them back online and protecting our customers and their data at this time.”

Finastra also acknowledged an incident via a notice on its Web site that offers somewhat less information and refers to the incident merely as the detection of anomalous activity.

“The Finastra risk and security services team has detected anomalous activity on our systems,” wrote Tom Kilroy, Finastra’s chief operating officer. “In order to safeguard our customers and employees, we have made the decision to take a number of our servers offline while we investigate. This, of course, has an impact on some of our customers and we are in touch directly with those who may be affected.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to strongarm victim companies into paying up.

One reader on Twitter told KrebsOnSecurity they’d heard Finastra had sent thousands of employees home today as a result of the security breach. Finastra told this author the company closed select offices in Canada and Paddington, London today where employees were unable to access the servers which they took offline.

“The majority of the Company’s employees are already working from home,” a statement shared by Finastra reads. “This is determined by Finastra’s response to COVID-19 and not related in any way to this incident.”

Interestingly, several ransomware gangs have apparently stated that they are observing a kind of moratorium on attacking hospitals and other healthcare centers while the COVID-19/Coronavirus epidemic rages on. Bleeping Computer’s Lawrence Abrams said he recently reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Abrams said several of those gangs told him they would indeed stop attacking healthcare providers for the time being. One gang even used its victim-shaming Web site to post a “press release” on Mar. 18 stated that “due to situation with incoming global economy crisis and virus pandemic” it would be offering discounts to victims of their ransomware.

“We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” reads the release from the Maze ransomware gang.

A press release published by the Maze ransomware group.

This story will be updated as more details become available.

Tags: , , ,

33 comments

  1. LOL Discounts to victims of ransomeware.

    • I about fell on the floor when I saw the offer of ransomeware discounts. What will these guys think of next? 🙂 If you cannot trust a ransomware operator, who can you trust?! Of course I am just kidding.

  2. I don’t thing the gangs are doing this out of the goodness of their heart, or even as a practical reaction to the Corona problem; I think they know if they keep up operations like they were, that the world wide outrage would spill over onto them like an avalanche, and they could end up the target of a drone if they don’t watch it!!!

    Scumbags!! >:-(

    • YES!

    • A little birdie on my shoulder told me that a drone attack inside of Mother Russia is highly unlikely.

      • Shame organized crime outside of Russia doesn’t see the opportunities. Since the Russian gangs don’t hit up companies inside for fear of repercussions, there are green pastures there waiting to be raked from the outside.

    • Such honor among thieves

      Perhaps when their babushkas become ill or die fro Covid-19 they will begin to give rebates?

  3. Discounts… seriously(?)

    > “…One gang even used its victim-shaming Web site to post a “press release” on Mar. 18 stated that “due to situation with incoming global economy crisis and virus pandemic” it would be offering discounts to victims of their ransomware…”

  4. …lol…”…give half your money or you die…”

  5. Trojan at their mail servier IP address since at least September 2019:
    52.51.237.24

  6. The Sunshine State

    Anything connected to the internet backbone, is going to be vulnerable to some type of attack eventually

  7. Hi Brian,

    Great article, again.

    Hey, as a side note, could you maybe do a 2020 updated article (like you’ve done in the past) extolling people–aimed at end consumers—to take advantage of any and/or all security measures wheverever/whenever they go online? Especially 2FA if is offered??

    I’ve been gobsmacked recently, talking to what I had presumed were knowledgeable people, and finding out that they are not taking advantage of anything that their banks, insurance, investment, and other online0frequented companies, even their email provider, offer them.

    I understand consumer inertia, outright laziness & all.

    But when I explain to these people how, for example, that something as simple as using a ‘2fa physical key’ with a dedicated email account (we all can thank Google for their free AP Program that’s over 6+ years running now) in addition to setting up simple email login code requirements sent to that email, is a high-barrier to hurdle for hackers, malware gngs, etc.

    Reading an article like this about Finistra, immediately my thoughts go to companies like FIS, Fiserv, ACI, Bottomline, Broadridge, Cardtronics, CoreLogic, Global Payments and MoneyGram. People have no idea of what could actually happen.

    End consumers gotta wake up and start doing their part, on their end.

    Yes, Finastra messed up majorly here, and I know this mantra of “protect yourself as much as possible” doesn’t apply to us devoted Krebs readers since we all probably already do it, but I sure could use an updated, refreshed Spring 2020 Krebs on Security article to wave in people’s faces when they look at me both glossy & crossed-eyed and say: “huh?…what??…who/what is FIS? Fiserv?? Are they a food-servng company?? etc, etc…” ;-/

    • Great idea for Brian to do a wrap-up article suitable for forwarding to our less-technical friends and relations.

  8. My bank account is impacted by this. How long do these things take to resolve? I can’t view my balance and my bank isn’t telling me much other than it’s a technical difficulty. Does this mean my SSN and account info was stolen?

    • This is from Finastra at this time, it is an email I have received from them as a customer.

      March 21, 2020, 9:00 a.m. Status Update: Attack successfully contained on Friday, March 20, 2020 . No evidence of any data loss or breach. Remediation work continuing 24/7 with the goal to restart production as soon as safe to do so in a controlled manner. More technical details are forthcoming.

  9. How many banks in North America were affected?

  10. Google for mortgagewebcenter.com to get a sense of the number of the banks that use their mortgage platform.

  11. This is more than an “interruption”… this attack apparently caused my clients to not be able to close on their home on Friday, (3/20/20) and potentially (due to the current collapse of employment in the United States) they may not be able to close on their home AT ALL.

  12. How many banks in Asia were affected?

  13. I believe this is an informative article and it is extremely
    useful and knowledgeable. I really enjoyed reading
    this post. big fan, thank you!
    King regards,
    Demir Valenzuela