Banking in the Ninth

Managing the Increasing Risk of Ransomware

Safety & Soundness Update - September 2016

Rory Guenther | Senior Examiner

Published October 12, 2016  | September 2016 issue

On November 3, 2015, the FFIEC issued a statement alerting financial institutions to an increase in both severity and frequency of cyber attacks, often involving the use of ransomware. Cybercriminals have been using ransomware for several years but have recently shifted their focus to financial institutions, and we have had reports of ransomware incidents in the Ninth District.I will provide a basic overview of ransomware and the potential implications of a ransomware event. I will also highlight some nontechnical actions from the FFIEC statement that can specifically help manage risks related to ransomware.

What is ransomware?
Ransomware is a type of malware that typically encrypts data on a target machine and/or connected network. The program is often introduced when an employee opens an email attachment or clicks on a malicious web page or ad. Cybercriminals then extort the victim organization for payment in order to release or unlock the files. Attackers commonly request payment using the electronic currency Bitcoin, making it nearly impossible for law enforcement to track.

Potential impact of a ransomware event
Hackers have customized ransomware to not only infect and encrypt data on an individual machine, but also to spread across any connected network to other workstations, servers, backup devices, or connected third parties. If your organization becomes a victim, the implications could range from disconnecting and recovering a single workstation to having multiple servers, databases, and entire systems becoming unavailable. You may also be impacted by a ransomware incident at a critical service provider or third party.

Protecting your organization from ransomware
In the November press release, the FFIEC references existing risk management guidance and specifically highlights eight general steps financial institutions should consider. Management should review the press release and take into account all of these important actions to address overall cybersecurity risk management. For the remainder this article, I will focus on some nontechnical control activities management should take into consideration, which could significantly minimize both the chance of an incident and the impact it has on your organization.

Nontechnical ways to manage ransomware risks
Review and update information security awareness and training programs to include cyber attacks involving extortion and to foster a culture that encourages disclosure.
The most effective way to prevent a ransomware incident is to educate staff on the importance of cybersecurity, to prevent them from clicking on suspicious attachments, or visiting unnecessary websites. Getting employees to understand the potential implications for the entire organization is a critical milestone to managing this risk.

It is also important for management to foster an open corporate culture that encourages honest and prompt reporting when an incident may have occurred. Employees who believe they will be punished for even a one-time mistake might avoid reporting anything suspicious. This silence can lead to a much greater loss for the organization if ransomware has time to spread across the network.

Review, update, and periodically test incident response plans to minimize risk and disruption should a ransomware incident occur.
Financial institutions should have incident response plans that are up to date, realistic, and sufficiently tested. Regulators are increasingly looking for evidence of regular testing. Management should ask itself and staff the following questions to assist in this review: Does your current incident response plan adequately respond to a ransomware incident? Does your plan consider nontechnical decisions that you would need to make? Does the plan include reliance on third parties? Have you discussed the plan with service providers and included them in testing? Would their priorities or capabilities change if a ransomware incident was impacting multiple customers?  Who should you notify in case of an incident?

Management should also include a ransomware incident as a scenario or a tabletop exercise as part of regular testing of your response plans. Involve nontechnical staff in the discussions to reinforce awareness. Questions to ask during that scenario could include: Would you pay the ransom? Or would it depend on the criticality of the data, the potential downtime, or the cost to recover from backup? How much is an hour of downtime worth?

An oft-cited sentiment in the information security industry is that it is not if you get hacked, but when you get hacked. Be sure your organization is prepared to respond and minimize the impact of a ransomware incident by educating employees and testing incident response plans.