ransomware Archives

Strengthen Your Defenses: Preparing for ransomware attacks

In October 2021, a California community bank was victimized by a ransomware attack. The hackers obtained sensitive information from the bank’s systems, including loan application forms, tax returns, W-2 information, payroll records, names, addresses and Social Security numbers. They threatened to release this information if the bank failed to negotiate.

The bank incurred significant financial costs and reputational damage associated with the attack. It also offered free credit monitoring and identity theft protection services to affected customers. This is just one of many examples of community banks that have been targeted by ransomware attacks in recent years.

Double trouble

There was a time when smaller banks reasonably believed that cybercriminals would leave them alone, because larger institutions offered a bigger payoff. Recently, however, the trend has reversed. Cybercriminals are now targeting small banks, which they believe lack the wherewithal to protect against these attacks and have less robust internal controls than larger institutions.

A new ransomware scheme involves so-called “double extortion” attacks. In a traditional ransomware attack, the cybercriminal sends a phishing email to a bank employee or other user of the bank’s systems. If the recipient clicks on the link in the email, it introduces malware that infects the bank’s system, encrypting its data. The cybercriminal demands a ransom payment in exchange for the decryption key.

In some cases, however, victims were able to quickly restore their systems from unaffected backups and thus refused to pay the ransom. To avoid this result, a double extortion attack involves stealing sensitive data and threatening to release it if the ransom isn’t paid.

Protective measures

To minimize the risks associated with ransomware attacks, community banks should follow industry practices recommended by the Federal Financial Institutions Examination Council (FFIEC) and other federal banking agencies. These include:

Regularly assessing the bank’s exposure to ransomware risks and patching any vulnerabilities,
Educating employees about the risks of ransomware and training them on identifying and reporting potential attacks,
Inventorying hardware, software, connections and data, with programs in place that identify vulnerabilities,
Implementing backup systems designed to protect data from cybercriminals,
Segmenting networks to limit a cybercriminal’s access within the system if a breach occurs,
Managing third-party risks that expose the bank to ransomware attacks,
Implementing email filtering processes that identify malicious messages and prevent them from reaching end users, and
Restricting the use of employees’ personal devices on the bank’s network.

Be aware that payment of ransomware may result in sanctions if the cybercriminal is listed by the Office of Foreign Assets Control (OFAC) as a known or suspected terrorist or terrorist organization. Reporting ransomware demands promptly to the federal authorities can help mitigate these sanctions. Banks also may need to file Suspicious Activity Reports (SARs) in connection with ransomware payments.

Another critical tool for defending your bank against cyberattacks is a program of regular system vulnerability assessments and penetration tests. Vulnerability assessments involve scanning all internal and external networks to identify security flaws or weaknesses. Penetration testing — a form of “ethical hacking” — involves the intentional launching of simulated cyberattacks to identify any vulnerabilities that can be exploited to compromise the bank’s systems or data. It can also be used to test the bank’s security policies, employees’ security awareness, and the bank’s ability to flag and respond to security issues as they happen.

Typically, vulnerability assessments should be conducted twice a year and penetration testing should be done annually. But the appropriate frequency of testing depends on your bank’s circumstances and resources.

Have a plan

As cyber risks continue to mount, your bank needs a comprehensive cybersecurity plan that reduces risks and minimizes damages should they occur. It should include an incident response protocol for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing customer assistance, and reporting the incident to the relevant federal banking regulator within 36 hours.

What’s Your Bank’s Plan to Counter Ransomware Attacks?

Cybersecurity continues to be a key risk that businesses face today, and banking is among the industries most affected by cyberattacks. Some experts estimate that around a quarter of all malware attacks target financial institutions. Of particular concern are ransomware attacks, which have increased dramatically in the past couple of years.

The threat of ransomware is so serious that the National Institute of Standards and Technology (NIST) — developer of a widely used cybersecurity framework — recently published a draft Cybersecurity Framework Profile for Ransomware Risk Management (the Ransomware Profile).

Ransomware and risk management

Ransomware is a type of malware that encrypts an organization’s data. Once malware has infected a system, the attackers demand payment in exchange for the encryption key that unlocks the data. In some cases, they may also steal an organization’s information and demand additional payment to avoid disclosure of that information to authorities, competitors or the public.

The Ransomware Profile outlines several basic preventive steps organizations can take to protect themselves against the ransomware threat, including:

Use antivirus software at all times,
Keep computers updated with the latest security patches,
Segment internal networks to prevent malware from proliferating among potential target systems,
Continuously monitor for indicators of compromise or active attack,
Block access to potentially malicious web resources,
Allow only authorized apps, and avoid use of personal apps — such as email, chat and social media — on work computers,
Use standard user accounts, rather than accounts with administrative privileges, whenever possible,
Restrict personally owned devices on work networks,
Educate employees about social engineering (for example, to not open files or click on links from unknown sources without scanning for viruses or taking other precautions), and
Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the appropriate access.

Organizations also should take steps that will help them recover from future ransomware events, including developing and implementing rigorous backup and incident recovery plans.

Backup strategies and incident response plans

Simply keeping backups of data isn’t enough. Any significant gaps in recoverable data or delays in restoring systems can be devastating for banks. So, they must back up data daily and test and periodically validate it. Also, banks should store backups offline to prevent a ransomware attack.

A well-designed backup strategy is worthless, however, without a solid incident response plan. This critical step helps banks restore systems quickly and minimize downtime in the event of a ransomware or other attack. A cyberattack is highly stressful. So, to avoid a paralyzing panic, your response plan should provide step-by-step instructions on who does what and when. The plan also should be kept offline to ensure that it’s accessible if your systems aren’t.

Be prepared

All banks should have a comprehensive cybersecurity plan to prevent ransomware and other cyberattacks and to minimize damages should an attack occur. If your bank doesn’t have a plan or you’re unsure whether your plan provides the protection you need, contact one of our industry leaders about conducting a cybersecurity risk assessment with ATA Secure.