There are more of these cases than you might think. Emphasize prevention, but be prepared.
Most credit unions have heard about ransomware attacks, but few have experienced them, says Ray Murphy, chief information security officer at LEO Cyber Security, Dallas.
“The criminals are now exploiting schools, healthcare—including hospitals and doctors’ offices—and municipal governments that lack sophisticated cybersecurity controls. These organizations have experienced prolonged service disruptions, which adversely affect students, patients and residents.”
Ransomware attacks penetrate and hijack operations systems. To get the key to turn them back on, you may have to pay the ransom. Interestingly, you can probably trust the thief to bring your systems back up if you pay.
“These criminals police themselves and protect their brand,” Murphy reports. “They value a reputation for being true to their word. It’s honor among thieves. Ultimately, paying the ransom is a business decision and should be decided by executive leadership, even though law enforcement agencies discourage organizations from paying the ransom.”
Theoretically, the antidote to ransomware attacks is back-up systems, something all CUs have as part of their disaster recovery/business continuity strategies. If pirates hijack your main system, switch to the back-up. But having a back-up is not a panacea, Murphy points out.
“The backup/restore process may transfer the ransomware to the back-up, which can defeat the purpose of a back-up,” he points out. “Even an active-active arrangement can be adversely impacted by the ransomware infection. You have to test your back-ups routinely to make sure they are clean. Even with a clean back-up, it’s not always easy or quick to restore full operations. Natural disasters are innocent disruptions that don’t threaten back-ups, but with ransomware, you need forensic investigators to identify the root cause and damage to the internal network to be sure the threat is completely removed and not waiting to attack again.”
Back-ups aren’t much use in thwarting ransomware attacks, agrees Paul Love, chief information security officer at CUES Supplier member CO-OP Financial Services Rancho Cucamonga, Calif. “Attackers can plant the bug and then wait until you’ve transferred it to the back-up,” he explains. “By the time you get shut down and receive the ransom notice, it’s too late, and the back-up is gone too.”
Such attacks are probably more common than most CU managers realize. Ransomware attacks aren’t always reported, Love observes. “There is more of that happening than you might think.”
Can a CU insure against that risk? FIs, including some CUs, do buy insurance against ransomware these days, Love notes, but they may not be as protected as they think. “Most contracts,” he notes, “have clauses requiring ‘reasonable security,’ and that’s where arguments occur.” Also, losses may be bigger than expected and exceed coverage, he adds. “A lot of the costs of recovery are not obvious,” he points out.
Should CUs have bitcoin on hand just in case they need to pay ransom? Some do, but consultant Richard Crone of Crone Consulting LLC, San Carlos, California, calls maintaining bitcoin accounts in anticipation of a ransom attack “a distraction.”
Some Canadian CUs have agency arrangements so they can get bitcoin quickly if they experience a ransom attack, reports CUES member Doug Eveneshen, president/CEO of $49 million Stabilization Central Credit Union, Vancouver, British Columbia, but most emphasize prevention through staff training and leadership, he notes.
Richard H. Gamble writes from Grand Junction, Colorado.