Days Into Ransomware Attack, Many CUs Remain ‘Non-Operational’

A ransomware attack that began Nov. 26, impacting dozens of credit unions across the country, continues to hamper the operations of many credit unions that are clients of Ongoing Operations, a unit of Trellance Cooperative Holdings.

While the scope of the ransomware attack or who conducted the attack isn’t fully known, it appears the attack was aimed at Ongoing Operations, a credit union information technology organization acquired by credit union fintech Trellance in November 2022, and FedComp, a third-party vendor of Trellance.

In a blog post by Kevin Beaumont, a cybersecurity expert, he explained, “A ransomware group gained entry to Trellance via Ongoing Operations.” And the FedComp “platform was not patched for CitrixBleed, as no Netscaler patches had been applied” since May of this year. Beaumont added, “This is disrupting operations in a way which impacts millions of Americans.”

In a statement to CU Times Monday, NCUA spokesperson Joe Adamoli said, “The NCUA continues to work with the approximately 60 credit unions that experienced system outages affecting member account availability due to a ransomware attack at a third-party service provider. Although not fully operational, many of these credit unions have alternative services in place that allow members to access their funds. Credit union member deposits at the affected federally insured credit unions remain insured by the National Credit Union Share Insurance Fund up to $250,000.”

One of the credit unions impacted by the ransomware outage was the Peru, N.Y.-based Mountain Valley Federal Credit Union ($52.5 million in assets, 4,647 members). A statement posted Monday morning by the credit union’s CEO Maggie F. Pope and its board of directors provided a somber update.

“As of today, MVFCU’s data processing system remains non-operational. Our data processor is making progress,” the statement read. “Due to the number of credit unions affected and the volume of work completed in the past couple of days, it will take a little more time to launch our online banking platform. Just a reminder that you may still use your debit cards, get cash at ATMs or at any of our four branches (Peru, AuSable Forks, Keeseville, Wilmington). Please call one of our branches should you need additional help.”

The statement continued: “Please bear with us just a little longer as we work diligently to get you all connected to your financial information. Again, we are truly sorry for this inconvenience and are hopeful that this situation will be resolved very soon. We do appreciate your patience, support and understanding as we get through this.”

Officials with Ongoing Operations have not given a status update on the ransomware attack since Saturday, Dec. 2. In that statement, Ongoing Operations said it “experienced an isolated cybersecurity incident” on Nov. 26.

“This incident is isolated to a segment of the Ongoing Operations network and our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems,” the statement read. Ongoing Operations said it had notified federal law enforcement.

Trellance has not released a statement, but its website links to the statement from Ongoing Operations.

This ransomware attack provides NCUA Chairman Todd Harper another example to bolster his ongoing push for the agency to receive third-party vendor authority. Three weeks ago Harper testified before the House and Senate Banking Committees asking for their help to update the Federal Credit Union Act to give the NCUA that authority.

During his Senate testimony, Harper warned lawmakers that due to “increased industry concentration, intensifying cyber threats and greater outsourcing of core business functions, the Government Accountability Office, the Financial Stability Oversight Council and the NCUA’s Inspector General have all recommended congressional action to restore the NCUA’s statutory examination authority over third-party vendors.”