Protecting Your Data Amid a Ransomware 'Explosion'
Important cybersecurity considerations for credit unions include prevention, detection and cyber insurance.
For credit unions, the risk of falling victim to a ransomware attack is without a doubt high, according to several cybersecurity experts who work in the financial services space. And while the process of mitigating that risk might seem costly and confusing, taking steps to get ahead of an attack before it hits is the only way credit unions can protect not only their sensitive data, but their business volume and reputation.
Ransomware – a type of malware that holds an organization’s data “hostage,” and threatens to release it to the public and/or make it inaccessible until a ransom is paid, usually in cryptocurrency – has grown in sophistication since its first recorded case in 1989. James Turgal, vice president of cyber risk, strategy and board relations for Optiv Security in Denver, said ransomware has evolved in the past decade to the point where nation states are writing their own ransomware code and carrying out coordinated attacks – and that financial services organizations have always been appealing targets.
Chris Sachse, CEO of the Baltimore-based cloud and cybersecurity organization Think|Stack, said the biggest shift he’s seen in regard to ransomware in recent years is that it’s become a business. “There are two ransomware firms that literally create open source ransomware software, and then hackers can buy that software from them and they get a percentage of the ransom,” he said. “We’re continuing to see people pouring innovation dollars into it because it’s so effective. If your goal is to exploit money out of an organization, ransomware is probably still the most effective way to do that.”
Turgal, whose cybersecurity career has included spending 22 years investigating and solving cybercrimes for the FBI, and personally helping many companies respond to and recover from ransomware attacks, also said hackers have been exploiting the public’s interest in information about ongoing crises, namely the COVID-19 pandemic and Russia’s invasion of Ukraine, by embedding ransomware into phishing emails, using pandemic- or war-related maps and news as a front to entice victims to click on the malicious links. “We’ve seen this true explosion of ransomware since the advent of COVID, and it’s only just continuing to increase from there, especially against critical infrastructure, which includes financial institutions,” Turgal warned.
Dormant but Dangerous
Since Russia began its violent physical attacks against the Ukrainian people in late February, U.S. cybersecurity experts have been on high alert for an increase in internet-based attacks coming out of Russia – a known hotbed of hackers. To date, fears of a catastrophic attack have not come to fruition, however Sachse said he’s concerned hackers may have quietly entered systems belonging to credit unions or credit union vendors, injected them with malicious code, viruses or malware, and are poised to cause mayhem.
“If the credit union doesn’t have sophisticated security monitoring, a piece of malicious code could sit there somewhat dormant until someone decides to turn it on, and that means they’ve already gotten in the back door,” he said. “Imagine someone hiding in your closet, and unless you go check that particular closet, which unfortunately is harder to do than it may seem, that thing could potentially sit there without anyone knowing.”
Sachse added his biggest fear relates to the fact that the potential for a large Russian cyberattack has been talked about so frequently lately – including by the NCUA, which issued a new cyberattack warning to credit unions in late March. “I’m scared of the boy who cried wolf syndrome, in that there hasn’t been some coordinated attack and I hope that people don’t sit back and say, ‘Well this is much ado about nothing.’ It could be that they’re in there right now, actively planning,” he said.
Allen Eaves, managing director of financial crimes for the Monett, Mo.-based Jack Henry & Associates, said in monitoring the systems of both Jack Henry’s credit union clients and the company itself, he has seen a lot of scanning activity originating from Russia and its neighboring countries.
“We’ve seen an uptick of chatter, if you will – just kind of doing reconnaissance, which could go a couple of ways,” Eaves said. “It could mean they’re trying to survey the landscape to see where the vulnerabilities are, in case they want to pull the lever and launch an attack. It could also be that because they know that’s our concern, they just want to create chatter and noise, play the war game and keep themselves relevant.”
What’s more, a joint Cybersecurity Advisory (CSA) released on April 20 by the cybersecurity authorities of the U.S., Australia, Canada, New Zealand and the U.K. warned that evolving intelligence indicated the Russian government is exploring options for potential cyberattacks, including against critical infrastructure organizations in those five countries. According to Turgal, “[Those five countries] are [releasing that CSA] because they are probably getting highly classified intercepts that these attacks are starting to occur. So it’s moving here.”
When a credit union is hit with ransomware or another type of cyberattack, whether it originated in Russia or elsewhere, the potential for loss is great. Sachse explained that the monetary loss to a credit union post-attack can reach millions of dollars – and that’s not because hackers can steal that amount of money, but because attack-induced system outages can last weeks or months, leading to lost business growth, unprocessed loans and lost members who feel their money is no longer safe with the credit union.
Defense Basics
Having a plan to detect and thwart cyber threats, including potential ransomware attacks, is essential for credit unions. But with so many possible approaches to cybersecurity to choose from, where should credit unions focus their attention and resources most?
Sachse said one best practice is to create immutable backups – data backups that cannot be deleted or changed in any way – which, if updated daily, would mean a credit union ransomware victim might lose one day of business at most. Completing frequent system patching, conducting data breach tabletop exercises and staying abreast of how third-party vendors are protecting their systems is also critical, Sachse said. “I think the hackers are going to hit the core providers, the PSCUs, the Co-ops because they have such a broad network,” he said in regard to vendor management. “Select the right partners and make sure they’re doing the right thing, because ultimately, it’s the credit union’s reputation. The member doesn’t know that Co-op manages their ATM – they just know that their ATM doesn’t work.”
He also emphasized that credit unions should not only use monitoring software to detect recognizable threats in their systems, but watch for unusual behavior, which also requires assistance from personnel. “So if Susie comes in every morning, logs onto her machine and opens up Symitar, [the software] starts to log that as normal behavior. Then if one day she comes in and accesses an application or folder she’s never accessed before, that would send an alert to a security analyst, who would probably call Susie and ask what she’s doing,” he explained.
Eaves split his best cybersecurity practices into two categories: Reducing exposure to vulnerabilities as much as possible, and having good visibility into what’s happening in your environment. The first category includes restricting employee access to any systems beyond those they must access in order to perform their job, as well as restricting network access to any locations beyond those it needs to reach to maintain normal business operations. “The more restrictions there are, the more difficult it is for a bad actor to traverse the entire environment, and the better chance you have at detecting it before it expands and becomes a bigger problem,” he said.
The second category involves detection and is just as important as the prevention component, according to Eaves. “If you’re always focused on prevention, your focus on detection starts to fall off a little bit,” he said. “Knowing what’s going on in your environment, and matching that up to threat indicators and having good threat data can be really powerful and effective.”
Turgal added that security basics for credit unions should also include implementing multifactor authentication across the enterprise, as well as strong passwords, and phishing and social engineering training for employees as often as every month.
When Ransomware Strikes
One question that will come to mind for a ransomware victim is: Should we pay?
Although the FBI’s official recommendation is not to pay the group or individual, some victims are left with no choice if they want to keep their business afloat. However, Turgal noted that for victims that did not back up their data and believe their only way to recover it is to pay the ransom, two things often stand in the way. First, many organizations do not have a cryptocurrency account to make the payment from. Second, making such a payment to certain groups could be a violation of Office of Foreign Asset Control rules, leaving the organization subject to enforcement action by the government.
Let’s say the victim pays the ransom anyway – what happens next? According to Turgal, there are three likely outcomes, none of which are reassuring. First, the victim could receive a decryption key for their data as promised, however, 18-22% of their data is likely to be unrecoverable, and the decryption process typically takes weeks. Second, the victim may not receive an encryption key because the bad actor never intended to return their data to them in the first place. Third, the victim could receive a decryption key that decrypts some of their data and slyly installs additional malware, taking things from bad to worse.
Credit unions that maintain backups and have excellent cyber hygiene can avoid all three of these outcomes; however, there may still come a day when ransomware brings their systems down. In that case, Turgal said the next steps include determining how the hackers got in, closing gaps, resetting passwords and eventually exfiltrating them from the system.
“If you’ve employed concepts like zero trust and you’ve micro-segmented your networks and ecosystem, as the threat actors try to move and brute force their way through your networks, you’re going to see those actions in real-time and be able to isolate those particular parts of a data center, and literally be able to lock the threat actor into a certain set of file areas where they can’t move anywhere else in the organization,” Turgal said. “And then you basically cut off their access, and they’re done.”
Ensuring Coverage
All three experts agreed that cyber insurance is a key component of cyberattack protection for credit unions. But they also noted a current concern for policy holders is the potential to be denied coverage if an attack is considered an “act of war” – not that far-fetched of a scenario these days.
Chris Keefer, principal of preventive law practice Keefer Strategy in Portland, Ore., said there’s no question insurers will proactively find ways to deny coverage, and gave the example of the 2017 NotPetya ransomware attack, which led to international companies Mondelez International and Merck becoming embroiled in litigation after their insurers denied coverage because they alleged the cyber event, which originated in Russia, arose out of ongoing hostilities with Ukraine.
“And Russia and Ukraine weren’t even officially at war when this occurred. Well they are now, so insurers won’t likely cover any cyber losses even tangentially related to either country,” Keefer said.
He said credit unions need to be wary of “acts of war,” “hostile acts” and “government acts” exclusions in their cyber insurance policies, the third of which can be the most problematic, as it could mean any loss arising out of an event that could be considered a state-sponsored act would be excluded from coverage.
Keefer advised credit unions to proactively review their insurance policies for these issues and not simply rely on what their brokers tell them.
“Keep in mind, brokers are not lawyers, and how certain exclusions could apply to potential losses involves construction of a voluminous legal contract,” he said. “If you’re unsure whether a particular exclusion could apply, test your insurer with a hypothetical to see if there would be coverage under the policy. If yes, get that confirmation in writing, as you may need that golden ticket later. If not, find out what you need to do to get coverage – even if that means going back to the market.”