Ransomware: Should Banks Prepare to Pay or Be Ready to Refuse?

Editor at Large

Cybercriminals have been ramping up ransomware attacks, with financial services firms as one of their top targets.

Ransomware is malware that encrypts files and databases and keeps them locked until the victim pays a ransom, typically in the digital currency bitcoin.

In a September alert, the FBI noted that new ransomware variants are emerging regularly.

"Cyber security companies reported that in the first several months of 2016, global ransomware infections were at an all-time high. Within the first weeks of its release, one particular ransomware variant compromised an estimated 100,000 computers a day."

In late October, Beazley, an insurance company that provides protection against ransomware attacks, said it's seeing a 400% increase in ransomware attempts among its clients; 20% of these attacks are on financial institutions. Security vendor Proofpoint has logged a steady increase in attacks throughout this year. At Dell SecureWorks, chief technology officer Jon Ramsey said ransomware is a top-three security priority among his large corporate clients.

And at Bank of the West, "We've seen a significant increase in ransomware attempts on the bank as well as among our customers," said David Pollino, deputy chief security officer and senior vice president. "Anyone who's not taking ransomware seriously needs to reevaluate their security approach."

Financial services victims tend to be smaller banks and credit unions, according to Paul Nikhinson, data breach response manager at Beazley. "A Bank of America or Chase has taken the technical controls to make this be a hiccup but not a crisis," he said. "A $100 million credit union cannot spend the kind of money on technology, people, process, to prevent this type of stuff, and it becomes a much more serious issue for them."

It's hard to find any news stories of financial institutions succumbing to ransomware.

"There could be some code of silence there, as far as not wanting to talk about getting hit by something so generic and seemingly easy to prevent," theorized Keith Jarvis, senior security researcher at SecureWorks, who was the first to discover some ransomware strains. "Financial institutions are being hit."

The groups running ransomware also run Trojans that hit banks' consumer and commercial clients with wire fraud and automated clearing house fraud. "So they're adept at financial fraud, but they're also realizing they can make pretty good margins on ransomware, too," Jarvis said.

Why Now?

The rise of ransomware is in part a pivot away from traditional cybertheft. Exploits that steal Social Security, driver's license and credit card numbers and sell them on the dark web have become so common that the supply of the pilfered data is outstripping demand.

"If you break into a system and steal hundreds of thousands of Social Security numbers, it's going to take you a really long time to monetize that information," Nikhinson said. "You're going to have to find buyers, pop up the data, and it's a whole lot of work. Whereas ransomware is a pivot to another economic model that cuts out the middleman. You're no longer looking for a buyer for the information you've stolen, you're just selling access to information back to the person you stole it from."

The hackers doing this are smart but lazy, he said. "They could get a legitimate job coding for some company here in Silicon Valley, but why do that when you could make easy money?"

Pollino speculates that finding the meaningful information to commit a lucrative crime can be difficult. "It's easier just to get the sure thing – the bird in hand is worth more than two in the bush," he said. "If I can get a small dollar number from a lot of people, it's a lot less work for me than trying to go after the big score."

Another trend behind the rise of ransomware is bitcoin, which, despite the auditability of the public blockchain, can be difficult to trace if users know how to cover their tracks.

"Without a mechanism to get your ransom in an anonymous fashion, this isn't something that could work long term," Nikhinson said. Money orders don't work because they have to be sent to an address that can be tracked. "Bitcoin has significantly helped this become a big deal."

The ransom amounts tend to be small numbers of bitcoin, which equates to hundreds or thousands of dollars. It's curious the hackers don't ask for more, considering the havoc they can potentially wreak on a company.

"They may not know the exact dollar value of disruption to the enterprise," Pollino said. "They may not know they could ask for a larger dollar amount." Also, they may want to stay under the radar of law enforcement. A large sum could attract the attention of regional or even international authorities.

To Pay or Not to Pay

Banks and their customers grapple with the question of whether the ransom should be paid. The FBI at one point suggested victims in some cases should pay up. In its September bulletin, however, it reversed that guidance.

"Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom," the agency wrote. It also noted that paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain.

Once a company's data has been encrypted by ransomware, the decision of whether or not to pay the ransom is tricky, according to Nikhinson. One thing his company does is try to figure out which ring is behind the attack.

"Certain groups are known to be more reliable in the sense that if you pay them, they do what they say, versus others, not so much," he said.

"If you pay, you're making yourself more likely to get attacked again – you go on a list of folks that are willing to pay ransom," Nikhinson said. "But if you're running a bank and you're going to be in trouble unless you pay these guys $5,000 to give you your data back, you might have a different thought process."

Victims are usually given tight deadlines, such as 24 hours, within which to pay. It can be a scramble to get the bitcoin fast enough.

"I've seen folks drive cross-state to find a bitcoin ATM to get the bitcoin in time to do all this," Nikhinson said. "What's been fascinating to me is some of the new attack groups have created customer service departments that will help walk customers through the process."

Clients often ask Beazley's threat response team if they should have bitcoin on hand to be prepared to pay the ransom.

One danger of storing bitcoin is that malware looking for valuable information can steal it. It needs to be stored in a secure bitcoin wallet and the private keys need to be protected. The other problem is bitcoin is a very volatile currency, so value could be lost.

Another hard-to-answer question is whether ransomware attacks have to be disclosed. Banks have to disclose any cyberattack to their regulator. But whether or not they have to tell customers is up to 47 different state laws.

"The best is, it depends," Nikhinson said. "In the absence of a unifying federal statute, the states have taken different perspectives on how they treat this. It's really difficult for companies because if you're doing business across state lines you might have California law telling you one thing, but Massachusetts law telling you another."

Mitigating Attacks

The FBI offers a set of specific steps to defend against ransomware attacks.

Bank of the West's anti-ransomware arsenal includes training about phishing, software that searches for malware in email, antimalware and antivirus software, endpoint security, network security, real-time backups and offline backups. Multiple types of backups help ensure that if an attack occurs, the bank could disable the affected workstation or server, switch to a backup and carry on.

"It's about using the most effective layered approach, more than one technology in more than one place using more than one method in most cases from different vendors, and a strong remediation plan when things do get through," Pollino said.

He worries more about small business customers that are less protected. The bank tries to keep them informed about the dangers of ransomware and drill them on the need for backups and a plan in case a ransomware attack happens.

After all, having a small business customer brought down by ransomware could lead to trouble for the bank.

"When a customer is impacted by ransomware, if we think through the bad things that can happen, they may lose data or availability of systems," he said. "We want strong businesses, which are strong customers."

Editor at Large Penny Crosman welcomes feedback on her posts at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Data security Cyber security
MORE FROM AMERICAN BANKER