Ransomware: A Multifaceted Menace
by Colin Gavin, Lead Risk Management Specialist, Supervision and Regulation, Federal Reserve Bank of Chicago, Ahmed Hussain, Senior Risk Management Specialist, Supervision and Regulation, Federal Reserve Bank of Chicago, and William Mark, Lead Examiner, Supervision and Regulation, Federal Reserve Bank of Chicago
Ransomware has become a well-known, everyday term. Department of Homeland Security Secretary Alejandro Mayorkas defined ransomware as “a particularly egregious type of malicious cyber activity that usually does not discriminate whom it targets. It is malicious code that infects and paralyzes computer systems until a ransom has been paid.”1 Ransomware is commonly spread through user action, such as clicking on phishing emails or spam or by visiting an infected website, and often culminates in an ominous extortion threat being displayed on the victim’s screen.
The risk of a ransomware attack is omnipresent. However, the financial sector is particularly at risk. Based on an analysis of ransomware-related suspicious activity reports (SARs), the Financial Crimes Enforcement Network (FinCEN) noted that “ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses, and the public.”2 Although any person or company is a potential target of these attacks, domestic and internationally active U.S. banks are common targets. The SANS Institute3 reinforced the magnitude of ransomware threats by noting that the financial services sector is among the top targets (see Table).
Table: Extent of Ransomware Breaches and Exposures
Q1 2023 |
Q1 2022 |
Q1 2021 |
||||
Compromises |
Victims |
Compromises |
Victims |
Compromises |
Victims |
|
Education |
31 |
357,001 |
21 |
106,099 |
24 |
112,684 |
Financial Services |
70 |
1,707,880 |
68 |
5,732,597 |
49 |
7,848,115 |
Government |
23 |
758,901 |
13 |
790,763 |
11 |
647,917 |
Healthcare |
81 |
13,879,551 |
73 |
4,377,462 |
71 |
3,332,703 |
Hospitality |
6 |
176,404 |
6 |
57,392 |
6 |
53,152 |
Manufacturing and Utilities |
54 |
38,161,023 |
52 |
249,706 |
38 |
384,934 |
Nonprofit or Nongovernmental Organization |
18 |
75,222 |
20 |
629,822 |
15 |
509,219 |
Professional Services |
42 |
69,227 |
45 |
3,022,491 |
30 |
3,566,213 |
Retail |
16 |
170,080 |
18 |
272,950 |
20 |
506,821 |
Technology |
33 |
22,362,858 |
16 |
10,832,588 |
23 |
17,377,396 |
Transportation |
12 |
11,095,128 |
8 |
20,930 |
14 |
139,250 |
Other |
59 |
327,411 |
64 |
675,411 |
53 |
6,695,075 |
Unknown |
- |
- |
- |
- |
- |
- |
Totals |
445 |
89,140,686 |
404 |
26,768,211 |
354 |
41,254,479 |
Source: John Pescatore and Terry Allan Hicks, “SANS 2023 Attack and Threat Report,” June 26, 2023, available at www.sans.org/white-papers/sans-2023-attack-threat-report/.
How Did We Get Here? The Growing Sophistication of Threat Actors
In 1989, a cyberattacker implemented a ransom scheme by mailing seemingly innocuous floppy disks to unsuspecting event attendees and then demanding $189.4 Today, ransomware attacks can incapacitate a company’s operations, severely hampering its business processes. Ransom demands can range from hundreds of thousands of dollars to millions of dollars in some instances.
Over the past several years, insidious ransomware attack tactics have evolved. Ransomware threat actors have developed into organized enterprises, as witnessed through ransomware-as-a-service (RaaS) operations. RaaS consists of threat actors pooling technical knowledge from trusted affiliates to facilitate attacks. Two high-profile examples of RaaS attacks occurred in May 2021. An attack on the Colonial Pipeline Company resulted in a temporary, but severe, disruption of fuel supplies across large sections of the East Coast of the United States. A second attack, on JBS Foods, the world’s largest meat processor, raised the specter of a similar disruption to meat supplies across the United States. In both cases, these companies paid significant ransoms to the perpetrators to regain control over their business operations.
Another tactic demonstrating the heightened organizational practices of threat actors is the double-extortion technique. In a double-extortion situation, the attacker extracts sensitive information from a company and threatens to release the data publicly. This threat of exposure of information, in addition to the restricted access to files, amplifies the urgency that a company faces in dealing with the ransom demand to retrieve the stolen data. Related payment demands typically escalate over time. This attack methodology has mutated into the multiple extortion scheme, in which the threat actor uses stolen data to target a company as well as the company’s clients, customers, and third parties for ransom payments. This can be extended to a distributed denial of service (DDoS) attack.5 All these actions are taken by the attacker to increase the pressure on the victimized company to pay the ransom.
How Do They Do It? Common Infection Vectors
Cybercriminals use numerous attack vectors to infiltrate an organization’s network. New variants continue to emerge. Software vulnerabilities, phishing, compromised credentials, and unsecured remote desktop protocol (RDP) are among the most common attack vectors used by threat actors, as noted in many different studies, such as the annual ransomware study by cybersecurity company Sophos.6
Software vulnerabilities are the most common and significant vector used in successful ransomware attacks. Ransomware threat actors often prey on software vulnerabilities to gain access to a company’s network to deploy attacks. A company’s software is vulnerable when the company has not properly updated or patched its software or when it has reached end of life. Software vulnerabilities are often easy targets for even low-skilled threat actors. This type of attack is often hard for a company to detect, resulting in a lingering dwell time.7 This dwell time provides a perpetrator with time to identify potential data targets by moving laterally across a company’s compromised network.
Phishing intrusions represent another common deployment method for ransomware attacks. In a phishing intrusion, the threat actor contacts a targeted user via an email that includes a request to click on an attachment or a link in the email or to enter authentication credentials on a website. The email may appear to originate from a known contact or believable source. Further, the email could contain a file such as a PDF that appears credible but contains embedded macros that initiate the ransomware. Phishing has several variants:
- spear-phishing, which is a targeted attack sent to a specific individual or group within a targeted organization;
- whaling attack, which is a spear-phishing campaign targeting a company’s high-level employee(s); and
- cloning attack, in which a cybercriminal leverages a company’s existing or previously distributed email with links or attachments and replaces the legitimate links and attachments with nefarious versions containing ransomware.
Compromised credentials are typically leaked on the dark web without user knowledge, allowing unlimited access to various related systems. Because many users use the same password to access multiple services and platforms, attackers employ automated tools that use brute force8 to log into these accounts, enabling easy ransomware deployment. These tools are also used to steal personal financial information, compounding the impact of the breach.
Similarly, attackers can take advantage of RDP, a Microsoft application designed to provide remote access to other computers over the internet. RDP ports are often easily identified from the internet, and security relies on strong password controls, which users often discount. Threat actors engineer these attacks using brute-force strategy to harvest the credentials of a company’s employees. These actions by threat actors are also often conducted on the dark web, allowing them to use RDP access to deploy ransomware, thus infiltrating a company’s information systems.
Other ransomware attack vectors include the leveraging of trusted relationships with managed service providers and inadvertent or automatic “drive-by downloading” via pop-ups or text messages. The latter occurs when a company’s employee visits a compromised site, allowing malicious code to be downloaded and initiated without conscious interaction by an individual.
Risk Exposure
Ransomware attacks can result in operational risks to banks through the disruption of business processes and operations, as well as legal and compliance risks. A Department of the Treasury advisory statement specifically focuses on ransomware, warning that criminals responsible for ransomware could appear on the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list.9 A bank transacting with a person who is on the SDN list could be in violation of OFAC regulations and could incur penalties. Consequently, a bank should ensure that the related sanctions risk is properly addressed by keeping abreast of the latest regulations from the relevant U.S. government agencies, including OFAC and the bank’s primary regulator. In addition, a ransomware attack that involves the theft of data would mean increased regulatory and legal scrutiny for affected banks, especially as the compromised data would require breach reporting10 and other types of disclosures.
Ransomware risks are not limited to a specific risk discipline or concentration. Hence, a bank may consider obtaining cyber insurance11 to partially reduce its financial exposure. Cyber insurance may not wholly protect against all types of financial losses, particularly if the insured organization does not employ sound risk management practices. Therefore, bank management should assess all aspects of a ransomware attack so that the bank’s risk management program can properly adapt to dynamic situations and, if applicable, comply with the provisions of its cyber insurance policy.
Prevention Mechanisms and Risk Management
There are multiple steps that key stakeholders at banks can use to protect against a ransomware attack. Most successful approaches take a “defense-in-depth” strategy. This approach includes a combination of security controls, such as antivirus/antimalware software, endpoint hardening, and data loss prevention software, designed to slow the attacker from succeeding in an incursion.
When known vulnerabilities in a hardware or software application remain unpatched, a bank is providing attackers with the opportunity to gain footholds and move laterally to conduct malicious activities. Therefore, diligent patching and vulnerability remediation is another ransomware prevention measure. Furthermore, proper network segmentation can limit the potential damage by restricting lateral movement and flagging potential rogue activity that attempts to traverse secured segments or locations within a bank’s network.
Banks should also restrict the use of administrative privileges, especially those tied to everyday email-enabled accounts. Banks could require secondary administrative accounts or employ a privileged access management solution, requiring elevated access privileges to limit access to secure accounts. Banks can also consider implementing multifactor authentication to add another layer of security and reduce the failure of a single factor of authentication, such as a password being compromised.
A bank may wish to consider using an advanced email filtering mechanism to prevent phishing and other types of malicious emails. This may include employing tools that flag external emails, scan inbound/outbound emails, and block spam, which aids in the flagging and elimination of suspicious files. In addition, a bank may consider regular vulnerability scanning to identify potential vulnerabilities, especially for all internet-facing devices.
A bank’s critical systems should be backed up regularly and tested periodically to ensure viability. Reliance on a faulty backup to restore a system or data files could exacerbate an already tenuous situation in a ransomware event. An antivirus/antimalware software solution should be considered. Although much has been discussed related to the efficacy of antivirus signatures against zero-day12 attacks, this approach is still a protective measure.
Finally, banks should provide their network-user employees with security awareness training to prevent cyberattacks. Security awareness should encourage safe surfing practices and approaching every email with wariness, which provides an added layer of protection for the organization.
Overall, bank management should take a deliberate approach to understand how ransomware attacks are engineered and employ methods to develop a strong defense against them. While there is no single solution that can prevent every attack, an effective cybersecurity awareness program, which includes properly configured and implemented solutions, can aid a bank in proactively detecting, deterring, or slowing these attacks.
Communication and Collaboration
In addition to ongoing vigilance, Admiral Michael S. Rogers, former National Security Agency director and head of U.S. Cyber Command, advocates a macro perspective toward this multifaceted threat: “While there is a natural tendency to be embarrassed or protective of the bank’s reputation if a ransom was paid, it is prudent to take a collaborative approach. It is through candid communication and active cooperation, sharing information among private and governmental sectors, that the scourge of ransomware can be stemmed.”13 In this spirit of collaboration, the Federal Reserve System offers periodic training opportunities for bank leaders to practice responding to cybersecurity incidents using a dynamic training tool called Cyber Crisis Simulations, or “Crisis Sim.” For more information, see the informational box on Crisis Sim.
Conclusion
Ransomware remains one of the most prevalent and destructive cybersecurity threats currently facing banks, both domestically and globally. Some consequences of ransomware events may be irreparable, such as a significant revenue reduction or the loss of public confidence. These types of incidents can have a lingering emotional effect on a bank’s staff and can have negative consequences on a bank’s overall productivity, as some bank services may need to be shut down.
Banks should remain vigilant in their approach to mitigating the potential risks from a cyberattack by taking the following steps, among others:
- providing periodic awareness training to staff;
- creating and testing disaster recovery plans and procedures;
- maintaining an effective vulnerability management program;
- addressing concerns about software end of life;
- deploying and maintaining modern control environments to monitor for indicators of compromise; and
- notifying the bank’s regulator and law enforcement, as appropriate.
A bank’s leadership and its IT teams will need to be nimble and continuously rethink how they will deal with ransomware to keep their organization safe. Given the relentlessness of ransomware attacks, community banks should adopt industry-recognized security measures and continue to educate their staffs to keep sensitive data safe. A bank should also consider engaging in discussions with industry trade groups, trading positive and negative experiences about cyberattacks and the defense measures employed by the bank.
Cyber Crisis Simulations or “Crisis Sim” The Crisis Sim exercises administered by the Federal Reserve Bank of Richmond are highly immersive training sessions designed to raise awareness and inform bank management about common issues that may arise from a cyber incident. During the sessions, participants work as a group and must make tough decisions to respond to a simulated cyber incident as events unfold. A training facilitator guides the interactive session, highlighting the pros and cons as participants develop a response to the simulated events. Participants have highlighted several benefits of Crisis Sim, including the ability to interact with other bank CEOs in the training sessions. Dexter Gilliam, president and CEO of the Bank of Charlotte County, provided the following feedback: “The interaction with other CEOs, as well as the facilitator, was invaluable. I returned from this exercise with a much sharper skill set.” To learn more about these Crisis Sim training sessions, reach out to your central point of contact. |
- 1 See “Secretary Mayorkas Outlines His Vision for Cybersecurity Resilience,” available at www.dhs.gov/news/2021/03/31/secretary-mayorkas-outlines-his-vision-cybersecurity-resilience.
- 2 See “Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between July 2021 and December 2021,” FinCEN report, November 1, 2022, available at www.fincen.gov/sites/default/files/2022-11/Financial%20Trend%20Analysis_Ransomware%20FTA%202_508%20FINAL.pdf.
- 3 The SANS Institute is a collaborative professional organization headquartered in San Antonio that serves as a resource for information security training, cybersecurity certifications, and research.
- 4 See Sharon Shea and Isabella Harford, “The History and Evolution of Ransomware,” Techtarget.com, July 2023, available at www.techtarget.com/searchsecurity/feature/The-history-and-evolution-of-ransomware.
- 5 A DDoS attack disrupts access to network services.
- 6 See the Sophos report, The State of Ransomware 2023, May 10, 2023, available at https://news.sophos.com/en-us/2023/05/10/the-state-of-ransomware-2023/.
- 7 Dwell time is the amount of time an attacker sits on an infiltrated system undetected after penetration.
- 8 Brute-force strategy is a trial-and-error methodology that is used to get into a company’s information systems, often employing cryptographic hacking tools that guess all possible passwords until the correct one is found.
- 9 See the Department of the Treasury advisory, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” September 21, 2021, available at https://ofac.treasury.gov/media/912981/download?inline.
- 10 See Supervision and Regulation (SR) letter 22-4/Consumer Affairs (CA) letter 22-3, “Contact Information in Relation to Computer-Security Incident Notification Requirements,” available at www.federalreserve.gov/supervisionreg/srletters/SR2204.htm, and the interagency joint final rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” 86 Federal Register (November 23, 2021), available at www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf.
- 11 See the Federal Financial Institutions Examination Council (FFIEC) joint statement, “Cyber Insurance and Its Potential Role in Risk Management Programs,” available at www.ffiec.gov/press/pdf/FFIEC%20Joint%20Statement%20Cyber%20Insurance%20FINAL.pdf.
- 12 Zero-day vulnerability is a software security flaw that is known to the software vendor but that no patch is in place to fix. If this software flaw is left unaddressed, security holes are created that cybercriminals can exploit.
- 13 A summary of the keynote fireside chat with Admiral Michael S. Rogers from the Community Bankers Symposium held at the Federal Reserve Bank of Chicago on October 21, 2022, is available at www.chicagofed.org/publications/blogs/chicago-fed-insights/2022/community-bankers-symposium.