Cyber Extortion on the Rise: What Your Financial Firm Needs to Know
On November 3rd, 2015, the Federal Financial Institutions Examination Council (FFIEC) issued a statement warning financial institutions of the increasing number of cyber-attacks used to extort money and other allowances from victims, a trend that is seen around the world. For example, news came out in September that several large financial organizations in the United Kingdom were being targeted by extortion cybercriminals in the DD4BC group for bitcoins. According to the report, 58% of the extortion ring’s targets were financial organizations (banks and credit unions, currency exchangers, and payment processors), and their monthly attacks increased 400% between September, 2014, and June, 2015.
Likewise, representatives from Interpol expressed concern over the growing number of sophisticated cyber-attacks against banks in Russia, Eastern Europe, and other former Soviet states. One very active form of sophisticated attack referenced was cyber extortion. Even in situations where the primary attack is thwarted, as in the case of five Russian banks combatting planned distributed denial of service attacks, the hackers may find other means for financial gain. In this case, they sent letters extorting payment to prevent future attacks from occurring. Unfortunately, in these situations, many of the extortion victims end up paying the ransom rather than succumbing to the various risks involved. Doing so may in turn increase chances of being targeted again, since the hackers know the money will be paid.
Financial institutions in the United States are not immune to the rise in cyber extortion attacks, either. The FBI acknowledged more than 100 companies in the financial sector received cyber extortion threats between April and July of this year. Recognizing this global trend, the FFIEC has listed ways financial institutions can mitigate the risks of falling victim to cyber extortion. Here, we’ve provided an overview of those steps and additional ways your firm can prepare.
Understanding the Risks
Although there are several ways a cybercriminal can gain access to sensitive information, a handful of methods are being used more frequently in cyber-attacks involving extortion: denial of service (DoS) attacks, ransomware, and activism.
- Denial of Service—a coordinated effort to overwhelm a business’ web server or network through repeated requests for communications, making it impossible for legitimate users to gain access. When this is done using thousands of computers, it is called a distributed denial of service (DDoS) attack.
- Ransomware—a form of malware used to encrypt data on infected computers, typically installed through clicking links in deceptive emails or accessing malicious sites.
- Activism—an effort to cause a business to take specific action in return for stolen sensitive business and/or customer data.
Once an attack has been initiated or the information is stolen, hackers will demand a ransom be paid before the systems are returned to normal or the information is prevented from being leaked. In some instances, ransom requests can be in the tens of thousands of dollars.
At stake for extortion victims are their liquidity, capital, continuity of operations, compliance, and reputation, which can be the result of fraud, data loss, and disruption of customer service. According to the Neustar, for example, financial institutions can face up to $100,000 per hour in losses as a result of a service disruption. Knowing what’s at stake, follow these FFIEC guidelines to increase your preparedness:
- Conduct ongoing information security risk assessments internally, and be sure third party vendors perform effective risk management, maintain and test controls, and provide incident reports whenever security issues arise.
- Securely configuring systems and services to promote the implementation and maintenance of a secure network, which may mitigate the impact of potential ransomware.
- Protect against unauthorized access and unpatched systems such as personal computers and mobile devices connecting to internal critical systems.
- Ensure security monitoring, prevention, and risk mitigation systems are up-to-date and reviewed periodically. Also perform due diligence audits of third party vendor software and services.
- Update information security awareness and training to include extortion information, and implement information security training throughout the entire financial institution.
- Implement and regularly test controls around critical systems.
- Review, update, and test incident response and business continuity plans on a regular basis at the financial institution and with third party vendors.
- Participate in industry information-sharing forums to identify, respond to, and mitigate new cyber risks.
With the rising amount of cyber-attacks involving third party vendors, it is important to factor your vendors’ cybersecurity efforts into your own. To learn more about vendor assessments, register for our free webinar on Thursday, November 19th, at 2pm with business continuity expert Mark Madar and Preparis CEO Armistead Whitney. For ways we can help you mitigate the risks of cyber extortion and build a culture of preparedness within your organization, visit www.preparis.com or contact us at firstname.lastname@example.org.