How to defend your bank from ransomware

Cybercrime often mirrors crime in the physical world, and nowhere is this more apparent than with the ever-evolving incidence of ransomware.

Ransomware fraudsters use trickery and deceit to take possession of a business’s or bank’s networks or most valued data. They use malware to lock it down and hold it hostage until the victim pays a ransom to have it unlocked. If the besieged bank or business refuses to pay, the data or networks are often deleted or destroyed. This form of cybercrime has gained popularity because it offers a big reward with little risk, and, in many cases, criminals don’t need much expertise to perpetrate it.

“Ransomware is the attack du jour,” says Joseph Krull, senior analyst for cybersecurity at Aite Group in Boston, whose research regards “the scourge of ransomware” as a top attack trend of 2020. “[We saw] a wide range of organizations both large and small hit by ransomware in 2019, and we’re predicting that ransomware attacks will grow in 2020. Ransomware attacks are relatively easy to launch and result in what seems to be easy money for the attackers.”

With ransomware, bad actors typically gain access by luring an unsuspecting employee with an artful phishing email, attachment or fraudulent hyperlink that downloads the malware, which will seek out and encrypt data and networks. In these attacks, criminals can often recycle effective phishing schemes, scam sites and malware across a multitude of victims, thereby collecting many ransoms with a single strategy.

Black-hat hackers keep plying their trade, trying to stay at least one step ahead of the banks and businesses that are becoming more wary of such scams and guarding themselves against such attacks.

“Community and regional banks are certainly potential targets,” Krull says, noting that hackers see smaller financial institutions as having smaller security budgets and teams, thereby making them easier targets.

Eyewitness accounts

Kyle Kunnen, senior vice president and information security officer at $3.6 billion-asset Mercantile Bank of Michigan in Grand Rapids, Mich., has seen ransomware attackers ratcheting up their approach in recent months. He says they’re attempting to not only breach a wider range of enterprises but also form a cottage industry out of providing services and tools to less-skilled bad actors.

“The adversaries here have monetized their tools and services [and are] selling them on the dark web as complete kits,” Kunnen says. “You could be a junior-level thief and they’ll provide the information, all you need—[they’ll] even collect the bitcoin [ransom].”

Kunnen says the barrier of entry is low. “You don’t need to be a knowledgeable individual anymore,” he adds. “It’s not a tough market to get into. They’re just looking for soft targets. Community banks are looking for ways not to be those soft targets.”

Gary Wagers, executive vice president for retail products and services at $12 billion-asset Banner Bank in Walla Walla, Wash., has seen ransomware purveyors on the prowl among bank vendors and business customers. Case in point: The ransomware breach that very publicly caused Travelex, a foreign exchange service provider, to shut down for more than a week in January affected many of its bank customers, both large and small.

“We’re seeing ransomware events [like this] that are meaningful … and they’re usually caused by not properly doing patches [to software],” Wagers says.

He suggests that community banks spend more time vetting and communicating with third parties to ensure that they’re taking precautions.

Attackers are becoming more adept in gaining access to enterprise systems and even in how long they’re willing to wait for a reward, according to Paul Schaus, president, CEO and founder of CCG Catalyst, a bank consulting firm in Phoenix.

“We’re seeing an increase in ‘delayed bombs’,” he says. “The ransomware is set off by [an employee] clicking on a link, and then it’s activated two to four months later. We’re seeing that happen more, when it’s buried in there and IT departments don’t see it.”

Schaus notes there have been more ransomware attempts in general, as “players are getting more sophisticated and many banks are not keeping current because of the cost.”

Ransomware attacks continue to occur at an alarming frequency because attackers know they are effective, and they know that if a system is successfully compromised, a victim will generally pay the ransom, according to Robert Capps, vice president of market innovation for NuData Security, a Mastercard company in Vancouver, Canada. “Largely, [attackers] are getting better at targeting and response rates,” Capps says. “They are crafting more convincing messages to convince someone to open the message and take an action. We’ve seen more thought put into sending attacks to specific organizations and individuals, instead of blanketing an entire list of email addresses.”

A multi-pronged approach

Most community bankers know their institutions can become targets of ransom-seeking attackers even though they’re not global brands and might lack the deep pockets of megabanks. With that in mind, community banks have been upping their game in hope of preventing hacks or at least mitigating their impact.

According to Capps, many community banks have implemented a multifaceted defense strategy that includes phishing and email safety education training for staff, technical security controls for systems and devices, effective data and system backups, and disaster recovery and information security incident management procedures.

“There’s an awareness that phishing and malware risks are ever present and a need for employees and consumers to be vigilant in their online interactions,” he says. “It’s legitimately difficult to cover all possible ways a device can become infected with ransomware.”

More community banks are outsourcing their core systems and keeping less account holder data in their on-premise networks to reduce attacks, says Tom Wojcinski, a director of risk advisory services practice at Wipfli, an accounting and business consulting firm in Milwaukee.

Wagers agrees that most banks “are spending more time on vendor management … with an eye toward control systems and stability and business continuation programs. It’s critical if we’re sharing information with a third party.”

Whether on-premise or outsourced, Kunnen says that Mercantile Bank of Michigan, like many banks, has taken steps to make sure that it keeps data current and backed up frequently. “With ransomware, if you don’t have the tools to catch it quickly enough,” Kunnen says, “the backups are the only thing to save you.”

“With ransomware, if you don’t have the tools to catch it quickly enough, the backups are the only thing to save you.”

—Kyle Kunnen, Mercantile Bank of Michigan

He adds that security and IT managers should consider how long it will take to recover those data backups and discuss with senior management how to handle ransom demands as part of their incident response strategy. “Community banks are starting to have those hard discussions,” he adds.

Tyler Leet, director of risk and compliance services at CSI, a banking technology provider in Paducah, Ky., says perhaps most importantly, banks are developing a “culture of security” wherein all employees understand their responsibility for maintaining the community bank’s good cyber hygiene.

“Having a good incident response plan in place means banks are not running around like chickens with their heads cut off when attacks happen,” Leet says. “The more you prepare, the quicker you can react, and the less damage to an organization. No single control is the silver bullet.”