Fintech Firm Finastra Recovering From Ransomware AttackAttackers Targeted Corporate Network, Forcing Company to Shut Down IT Operations
Finastra, a large financial services software provider based in London, continues to recover from a ransomware attack that forced the company to take its IT operations offline Friday to prevent further damage to its corporate network, according to the company's CEO.
Finastra, founded in 2017, is one of the world's largest fintech firms, reporting revenue of $1.9 billion in 2019. Its software is used by some of the world's largest banks, according to the company’s website. It has offices in 42 countries with 10,000 employees, and it serves over 9,000 customers.
Finastra sells cloud-based and on-premises financial software, including mobile banking tools, to financial institutions, investment firms and retail outlets.
CEO Tom Kilroy, who has posted a series of notices on the company’s website, on Monday noted that Finastra was still working to "restore full IT operations. As mentioned previously, our solutions each have their own nuanced processes to move from being available to operationally live, and we are working closely with impacted customers to move through these essential steps securely."
The ransomware attack. which started on Friday, forced Finastra to take its servers offline to prevent the malware from spreading further within its network, according to the online update. Kilroy did not offer details about the type of ransomware used in the attack on the company's infrastructure, but he noted that no customer or employee data apparently was inappropriately accessed or exfiltrated.
As announced earlier, Finastra teams learned of potentially anomalous activity on our systems. Statement here as we continue to investigate: https://t.co/SQZKBNSR6C— Finastra (@FinastraFS) March 20, 2020
Kilroy also noted that any clients running their own software on Finastra's network were not affected. The company is working with U.K. law enforcement officials as well as security firms to investigate the incident.
The CEO didn't identify the ransomware strain or provide details about the ransom demanded by the threat actor, but he noted that no customer or employee data was accessed or exfiltrated by the threat actor. The company did not immediately respond to a request for comment.
Chicago-based threat intelligence firm Bad Packets noted in September 2019 that Finastra was one of several companies that were still using unpatched Citrix gateway servers that had known vulnerabilities that were being exploited by attackers (see: Patch or Perish: VPN Servers Hit by Ransomware Attackers).
In October 2019, the U.S. Cybersecurity and Infrastructure Security Agency issued a warning that organizations needed to patch their VPN vulnerabilities, noting that advanced persistent groups were beginning to target these flaws.
When London-based foreign currency exchange firm Travelex was hit with a ransomware attack in January that crippled its operations, ComputerWeekly reported that the company was using Pulse Secure VPN servers that were not patched (see: Currency Exchange Travelex Held Hostage by Ransomware Attack).
According to a BBC report, the Sodinokibi ransomware gang, which also goes by the name REvil, claimed to have accessed Travelex's network six months before the January attack and had downloaded and encrypted about 5 GB of sensitive customer data, including dates of birth as well as payment and credit card data.