The Rising Tide of Ransomware
On November 3, 2015, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement notifying banks and financial institutions of the increasing frequency and severity of cyber attacks involving extortion.
The U.S. Computer Emergency Readiness Team (US-CERT) notes that cyber-extortion malware, sometimes also referred to as ransomware, "is a type of malware that infects a computer and restricts a user’s access to the infected computer." The malware is used to extort money from victims by indicating that the victim's computer has been locked or that access to files have been denied, and demand that a ransom is paid to restore access.
Ransom demands typically range between $100–$300 dollars, and are sometimes demanded in virtual currency, such as Bitcoin. The Federal Bureau of Investigation (FBI) has identified certain ransomware that attempts to extort as much as $5,000. Some industry analysts estimate that malicious actors can profit almost $33,600 per day, or $394,400 per month, using ransomware. The increasing profitability of ransomware has contributed to its proliferation, especially to the banking and financial sector.
The FFIEC's statement is "intended to alert financial institutions to specific risk mitigation related to the threats associated with cyber attacks involving extortion." The statement identifies a variety of risks that victim institutions may face, including "liquidity, capital, operational, compliance and reputation risks, resulting from fraud, data loss, and disruption of customer service."
In order to mitigate the risks presented by ransomware, the FFIEC has advised institutions to conduct ongoing security risk assessments. Ideally, such assessments should include ongoing evaluations of an institution's IT systems, performing security monitoring, prevention, and risk mitigation activities, providing adequate training and awareness to personnel about cyber attacks involving extortion, and implementing and regularly testing controls around critical systems and services.
Institutions are also encouraged to review their incident response and business continuity procedures to help improve an organization's response in the event of an attack. The FFIEC is also promoting information sharing with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to improve their ability to identify attack tactics and to mitigate ransomware attacks on their systems successfully. Institutions that are victims of cyber extortion schemes are encouraged to inform law enforcement authorities and notify their primary regulator(s).
Institutions should also be aware of their responsibility to notify their federal and state regulators if the attack results in unauthorized access to sensitive customer information. Notification must be in accordance with the Interagency Guidelines Establishing Information Security Standards implementing the Gramm–Leach–Bliley Act and applicable state laws.
With the increasing scope and severity of cyber extortion attacks, institutions should be prepared to handle such threats. Ice Miller’s Data Security and Privacy Practice advises clients on issues of risk management, data breach response, cyber security planning, and business continuity.
Nick Merker, a former IT systems, network, and security engineer, is also a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on data security issues. Sid Bose is a former IT systems engineer. Nick Merker can be reached at firstname.lastname@example.org or (312) 726-2504. Sid Bose can be reached at email@example.com or (317)236-2243.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.