Q-Bot Ransomware Targeting Financial Services: What Is It and What to Do About It

One particularly virulent ransomware affecting the financial services industry is Quack-Bot, also known as Q-Bot. Q-Bot notoriously defeats most endpoint protection technologies. It has the capability to steal credentials, account numbers and other sensitive banking information for export to cyber thieves.

This trojan virus is not new. Q-Bot has been around since 2007. But the disturbing trend is that it seems to be in a constant state of evolution to stay ahead of security technologies tasked with defeating it. After taking a brief hiatus over the fall and winter, this ransomware is back in a new version that presents a sophisticated and dynamic threat. And it probably isn’t going away anytime soon.

Breaking false assumptions to defeat Q-Bot and other cyber threats

Financial services as an industry has it pretty rough when it comes to cybersecurity. Data protection compliance is demanded by FINRA, PCI and DFS Standards. But what’s equally concerning is that many financial services organizations seem to think that if they are meeting all of these standards, then they are safe from cyberattack. That idea is far from the truth.

We recently talked about the Center for Internet Security (CIS): 18 Critical Security Controls that financial services organization should be hitting at a minimum to achieve actual threat protection, versus checking off boxes for compliance. Achieving compliance may put many of these controls in place but may also still stop short of the full 18. It’s those few remaining controls that, if left out, can make an organization the “low hanging fruit” that’s attractive to cyber attackers. The idea that compliance translates directly into effective security can be a dangerous assumption.

Another questionable assumption many companies make is that they can address complex threats by staffing up on their own. But according to the ISC2 2020 Cybersecurity Workforce Study, 56% of organizations say that they are at risk due to the current cybersecurity staff shortage. This is happening while there has been a dramatic increase in remote work and over half of IT professionals report an increase in endpoint attacks.

The volume and severity of cyberattacks is also increasing through multiple cyber-attack vectors such as compromised credentials and email, phishing, and cloud misconfiguration. And security teams are missing the attacks sliding through these openings. Companies with 1500-5000+ employees admit they’re ignoring 53% of security alerts and it typically takes a team 27-30 minutes to investigate an actionable alert—and it also takes 26-32 minutes to investigate a false positive.

Enter a new strategy to effectively close security gaps through MDR

This may seem like a monumentally complex challenge, but there is a path to effective security that can simplify everything down to clearly view threats and take direct action. Through Managed Detection and Response (MDR), an enterprise SOC can be created that strongly encompasses technologies, services and human capital to deliver confidence to financial services organizations. This confidence comes from the knowledge that they have a highly collaborative partner to handle the critical security functions required to match up against the advanced cyberthreats they face.

Here are some of the primary components of enterprise MDR for financial services:

  • It should outperform the traditional one-size-fits-all approach by adapting to the unique differences of each customer.

  • It should simplify security and shrink risk with continuous monitoring/threat detection and response coverage. Solutions and services should integrate with existing industry leading SIEM, EDR/EPP and XDR tools with the goal of building visibility, reducing complexity and collapsing attacker dwell time.

  • Onboarding and implementation should take into the account the organization’s unique environment and existing security tools and processes.

  • Detections and Indicators of Compromise (IOCs) should be infused directly into the tools used by the MDR team. The goal is to create a high-fidelity threat detection and validation platform that uses specific detection logic customized to your environment.

  • Threat intelligence should include a curation of original and third-party data to derive new detections and IOCs with everything mapped to the MITRE ATT&CK framework to reduce complexity and improve SOC effectiveness.

  • MDR should automate areas such as automatic resolution of false-positives and include automated response actions to improve SOC effectiveness and reduce attacker dwell time.


That last point is key, as many security teams will often prioritize or suppress alerts. The problem is that alerts generated by attacks such as ransomware may only appear as medium- or low-priority. What’s needed is a process that looks at all alerts, determines those that can be safely trusted, and then focuses on the alerts that are potentially indicative of an attack.

This process needs to be combined with collaborative, well-trained, seasoned security experts who will deeply understand your environment to adapt and scale with your organization’s needs and partner with you to detect, investigate and respond to threats specific to your organization. That’s how you simplify cybersecurity to protect customer and internal data in a highly risk-averse industry such as financial services.

Back to Q-Bot

Going back to our previous example of Q-Bot and the impact on financial services, just how would an organization utilizing MDR be able to respond to this type of aggressive ransomware? With a process aimed at resolving all alerts and playbooks that have been developed by working to understand each unique customer and the reality in which they operate, MDR analysts would be able to connect the dots to see the full picture of what is happening in a network. They can link together seemingly unrelated evidence to show a customer that there is an active attack happening within their network before it has a chance to spread and inflict serious damage.

The value of MDR is that it’s not simply meeting a mandated security requirement. It’s an active and dynamic approach to staying ahead of constantly evolving cyber threats through a process where the MDR provider takes on the complexity of cybersecurity so you can have the simplicity of understanding when a threat is present, what is being done about it, and what steps can further mitigate that threat in the future.

In financial services, it’s this type of simplicity that can enable your team to focus on the more important complexity of what it takes to be more competitive in the marketplace.



You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
©2020 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: ZTAP™, Zero Trust Analytics Platform™, and Trusted Behavior Registry™. Any unauthorized use is expressly prohibited.