Ransomware developers and affiliates have been telling victims they must pay the ransom or stolen data and internal company secrets will be publicly released. Unfortunately, not everyone has believed them. But now that these threats have been carried out, six and seven-figure demands have become routine among ransomware attacks with the average ransom payment in the second quarter of 2020 reaching $178,254, a 60% leap from the $111,605 average in the first quarter, according to the Coveware Quarterly Ransomware Report.
“Credit unions need to be looking out for ransomware techniques. These cyber attacks have no boundaries and are truly a global issue,” says Carlos Molina, Senior Risk Consultant at CUNA Mutual Group. “Ransomware has grown in frequency and severity significantly. The average ransom payments have climbed exponentially in the last few years.”
Ransomware payments in 2019 were three times as large as 2018 payments and four times more extortion demands were paid in 2018 versus 2019, according to incidents reported to Beazley. In fact, ransomware claims increased 239% and the total cost of ransomware payments has increased by 228% from 2018 to 2019.
Derek Laczniak, Director of Cyber Liability at M3 Insurance, explains that “Ransomware developers threatened to release stolen data in the past. However, now with the actual release of confidential information, credit unions need to treat these attacks more like data breaches. Business interruption from these events has become a regular occurrence leaving both reputational and financial impacts.”
How Does Ransomware work?
Ransomware is a malicious software that restricts access to an infected machine, usually by systematically encrypting files on the system’s hard drive. Then the cyber criminal demands payment of a ransom in exchange for the key or keys to decrypt the data. Ransomware can be devastating.
The most identified infection points used to deploy ransomware:
- Phishing emails
- Corrupt attachments
- Weak or poorly secured remote desktop protocols (RDP)
- Unpatched system vulnerabilities and untimely anti-virus updates
- Extensive reuse of passwords
- Lack of multi-factor authentication
Molina points out that more effort is being made by criminals to remain undetected on a breached network. The time that exists between the first execution of malware and its discovery inside the network is commonly referred to as “dwell time.”
“Increased dwell time provides threat actors with opportunities to escalate hijacked privileges while searching for data caches of sensitive information that can be exploited,” says Molina. The average dwell time is 43 days for ransomware, according to an Infocyte report.
There has also been a significant increase in criminals who purchase ransomware kits on the dark web, launch attacks in the hope of getting some payment and care little about the data restoration experience of their victims.
“Ransomware code on a reseller distribution network is a very lucrative business for cybercriminals. The availability of free, do-it-yourself ransomware-as-a-service (RaaS) kits, and cheap attack ingredients has pushed the barrier to entry extremely low and deep technical expertise is no longer really needed.” according to M3’s Laczniak. “It is also possible that the increase of RaaS usage is related to the economic impact of the pandemic driving more financially-stressed individuals towards a career in cybercrime.”
“There’s no foolproof way of preventing ransomware attacks from occurring,” says Molina. “However, ransomware can often be avoided with the right IT security and risk management procedures. Proactive prevention is the most effective for credit unions.”
7 Key Prevention Tips
1. Keep all systems patched and up to date, including hardware, mobile devices, operating systems, software, cloud locations and content management systems (CMS). If possible, a centralized patch management system should be used.
2. Activate two-factor/multi-factor authentication (2FA/MFA) on all systems — including managed service provider software platforms, administrator systems and end-user systems wherever possible.
3. Back up data regularly and verify the integrity. Ensure backups are not connected to the computer or networks that are being backed up (i.e. securing backups in the cloud or physically storing offline).
4. Apply the principles of least privilege and network segmentation in which an end user should be given only the privileges necessary to complete tasks related to their role in the institution. If an employee does not need an access right, the employee should not have that access right.
5. Provide frequent social engineering and phishing training to employees so they are your first line of defense. Reminders should regularly be made to not open suspicious emails, not click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.
6. Vet and monitor third party remote access to the credit union network and connections to third parties. Ensure they are diligent with cybersecurity best practices.
7. Familiarize yourself with FinCEN’s advisory and list of ten financial red flag indicators (Oct. 1, 2020) to assist in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks.
Security experts are reporting a potential increase in ransomware attacks for the foreseeable future. “As ransomware tools and deployment methods advance,” Molina emphasizes, “criminal groups will continue to launch more targeted attack campaigns resulting in increased paid ransom demands and more negative impact to credit unions’ reputation and bottom-line.”