Ransomware Attacks Raise Concerns for Credit Unions

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. The Cybersecurity Infrastructure Security Agency (CISA), the nation’s cyber defense agency, says ransomware incidents have become increasingly prevalent in recent years among state, local, and tribal government entities, and credit infrastructure organizations such as credit unions.

Ransomware follows similar patterns, starting with the initial compromise of the system. Some of the most common infection points are:

  • Phishing emails with corrupt attachments or links;
  • Weak remote desktop protocols;
  • Unpatched systems;
  • Extensive reuse of passwords; and
  • Lack of multi-factor authentication.

Users often open a corrupt attachment or link which unknowingly installs the malware on their computer. The hacker then explores the network looking for vulnerabilities and sensitive data, which often goes undetected. Once they have access, the ransomware will spread through the network and encrypt material. The hackers will then make their ransom demand in exchange for a decryption key.

CISA provides suggestions and questions to ask that may help protect credit unions’ networks:

  1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
  2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
  3. Staff Training: Have we trained staff on cybersecurity best practices?
  4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?
  5. Application Whitelisting: Do we allow only approved programs to run on our networks?
  6. Incident Response: Do we have an incident response plan, and have we exercised it?
  7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
  8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?

TruStage shared steps credit unions should take to manage a ransomware incident if one should occur, including:

  • Do not restore data until images can be collected by the digital forensics team.
  • Do a global password reset.
  • Disconnect from back-ups.
  • Disconnect from the internet.
  • Check to see if there are any malicious inbox rules.
  • Obtain the ransom demand to share with the legal and forensics vendors.
  • Contact your insurance carrier immediately to report an incident.

 

Cyber Incident Reporting

The NCUA has the Cyber Incident Notification Requirements rule which states that NCUA must receive notification as soon as possible but no later than 72 hours after a credit union reasonably believes that it has experienced a reportable cyber incident. A reportable cyber incident is any substantial cyber incident that leads to one or more of the following:

  1. A substantial loss of confidentially, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services or has serious impact on the safety and resiliency of operational systems and processes;
  2. A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
  3. A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud servicer provider, or other third-party data hosting provider or by a supply chain compromise.

In addition, CISA recommends contacting law enforcement immediately. They encourage contacting a local FBI or Secret Service field office to report a ransomware event and request assistance.

https://www.fbi.gov/contact-us/field-offices

https://www.secretservice.gov/contact


Additional Ransomware Resources

InfoSight Security Topic

  • Cybersecurity – An overview of the regulatory requirements to manage the risks related to cybersecurity.
  • Cybersecurity Resources – A compilation of topics and tools addressing various aspects of cybersecurity.
  • Data Breach – Data breach reporting requirements for each of the GoWest states.

CISA Ransomware Guide

CISA How to Protect Your Networks from Ransomware

NCUA Cybersecurity Resources

NCUA – Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

If you have questions about ransomware prevention, contact GoWest’s Compliance team at 800.546.4465 or [email protected].

Posted in Across the Region, Compliance Resources.