Community Banks' Best Defense Against Ransomware

Ransomware incidents are skyrocketing, and while banks are less likely to be hit, that doesn’t mean they can rest on their laurels. Constant vigilance is key.

Last fall, the U.S. financial services division of Industrial and Commercial Bank of China (ICBC), China’s largest commercial lender, was hit with a ransomware attack. It was so devastating that it reportedly affected the trading of U.S. treasuries.

As its name implies, “ransomware” is a maneuver by bad actors to take control of a company’s software systems or proprietary information and demand payment for returning control to the rightful owners. Increasingly common, ransomware is a cybercrime so nightmarish that it keeps business executives up at night.

Not only has the number of ransomware attacks increased in the past year, but the sums demanded are skyrocketing, according to Beth Sumner, vice president of customer success at Finosec, an information security and cybersecurity governance provider for financial institutions. “It used to be that the ransom was $50,000. Now most ransoms are over $1 million—and that’s just where they start,” she says.

The statistics bear this out. A July 2023 report by cybersecurity firm Sophos found that financial organizations recently paid an average of $1.6 million to their ransomware attackers to recover their data, a staggering increase over the previous year’s average of $272,655.

The good news is that “even as the pace of ransomware attacks has ramped up massively this year, the impact on financial services has been muted,” says David Shipley, CEO and cofounder of Beauceron Security, a cybersecurity fintech in New Brunswick, Canada. He explains that the industries that have experienced “staggering increases” in ransomware attacks include schools, municipalities as well as hospitals.

Financial institutions are less appealing to cybercriminals because they are generally more resilient and better armed against hacks, explains Shipley. “Picking a fight with a community bank is like going after a black belt in karate,” he says. “Going after these other targets is like picking on a little kid for their lunch money.”

To pay or not to pay?

Cybercriminals and their targets are engaged in a proverbial game of cat and mouse, each switching tactics as the other gets wise to their plans.

One of the latest twists on ransomware is what’s known as double, and even triple, extortion. Beyond demanding money to decrypt a company’s data, criminals are using stolen customer data to extort a company and/or its customers by threatening to release that data on the black market. The third level of extortion is accepting a ransom while setting up for a future backdoor attack—and then demanding a second ransom for not reinfecting a system.

Banks’ superior preparedness has some disadvantages. Too often, says Sumner, community banks figure that they’ve already invested in ransomware detection and protection, so they’re safe.

“I hear it said, ‘We did that 18 months ago, so why do we have to upgrade and buy something else now?’” she says.

One central debate in dealing with ransomware is whether to pay. Steven Estep, ICBA assistant vice president, operational risk, takes a dim view of acquiescing to criminals’ demands. Giving them money, Estep argues, “might mean there’s now a target on you because [the cybercriminals] know that you will pay.”

Estep also points out that if a payment is made to hackers based in a country that has been sanctioned by the Department of Treasury’s Office of Foreign Assets Control, or OFAC, that could place a bank in serious legal trouble.

That said, ransoms do get paid. The hackers of ICBC, for instance, claim that their demands were met.

Ransomware defense prep matters

Even with ransomware attacks growing increasingly complex, there is a common playbook for how hackers operate.

“Phishing and social engineering tend to be high on the criminals’ lists of how they’re getting into systems,” says Estep.

Exploiting common vulnerabilities and exposures, or CVEs, is another routine play by hackers. For this reason, patching software immediately is critical, as are other aspects of good “cyber hygiene.” These include using strong, unique passwords and keeping all multifactor authentication systems on (even when an executive balks).

Often, smaller organizations are targeted because they have less‑stringent cyber hygiene, says Sekhara Gudipati, managing director at Crowe LLP. He therefore emphasizes the importance of employee training and awareness. Given the pace of change in ransomware attacks, Gudipati notes that many savvy organizations have increased the frequency of their cyber‑training sessions up to twice a year.

One critical resource for community banks is the Ransomware Self‑Assessment Tool, or R-SAT (csbs.org/ransomware-self-assessment-tool). The 2.0 version of the tool, which was developed in collaboration with, among others, state bank regulators, was released on Oct. 24, 2023.

A bank’s cybersecurity insurance provider is another important ally.

Here, it’s essential to understand your cyber insurance policy, says Sumner, noting that these policies increasingly include exclusions, often for ransomware (or “cyber extortion,” which is the preferred term of many insurers).

Be sure to involve authorities

Ransomware attacks are crimes, so both regulators and the authorities should be called following a strike, says Sumner.

She points out that while many community bankers might feel embarrassed to report a cyberattack, fearing it may reflect poorly on them, the FBI and Secret Service can save the day. She knows of community banks that notified the FBI and then found—to their delight—that the authorities had the necessary decryption key already in their possession.

Finally, staying informed about ransomware should rate high on every community banker’s to-do list, because this crime shows no signs of going away.

“Cybercriminals never stop,” concludes Sumner. “They’re always moving and they’re always looking for new ways in.”