'It's very scary': Small banks quietly hit by ransomware attacks

In recent days, two ransomware groups, DarkSide and Ragnar Locker, have posted evidence that they have successfully broken into three small banks’ servers, stolen data and demanded ransom. If the ransom isn’t paid, they say, they will expose more of the banks’ data.

The evidence, posted on the hacker groups' dark web sites, includes screenshots of customer databases the hackers say they exfiltrated from the banks. This is typical of ransomware tactics, in which attackers publish some stolen data on their sites to prove they were successful and to induce the company to pay the requested ransom.

Two of the alleged victim banks in these cases, which are in California and Florida, did not respond to multiple requests for comment. The CEO of the third bank, who asked not to have his bank named, said the bank is investigating the incident and does not have anything to report yet.

“It's scary,” he said. “To be honest with you, it's very, very scary. It’s something we can’t control.”

Doing it for the money

The ransomware groups’ postings highlight the fact that banks, even the smallest ones, are popular targets of ransomware attacks, which have become more frequent. According to Verizon’s 2021 Data Breach Incident Report, 10% of all data breaches now involve ransomware.

The DarkSide ransomware group, whose May attack on Colonial Pipeline prompted a week-long shutdown of the 5,500-mile pipeline, has also targeted community banks.

The evidence the hackers posted does not necessarily prove that these community banks suffered data breaches, according to David Pollino, data security consultant and former data security leader at PNC Financial Services Group and at Bank of the West, who reviewed the documents on the Ragnar Locker site.

The evidence the hackers provided is “pretty compelling,” but it needs to be verified by the target companies, he said. “Documents can be forged or compromised by a third party.”

If the hackers present data that only includes credit card numbers, account numbers, names, and addresses, for instance, it’s possible the criminals combined data sets stolen from previous data breaches with commonly known information, such as routing numbers, and grouped them by institution, Pollino said. This would be a way to monetize old data from earlier breaches.

Bank security people hit with ransom demands would do well to cross-reference the hackers’ data and see if there are many sequential account numbers, or if there’s an internal pneumonic for customers used to determine if there truly was a fresh attack. They should also validate that information such as card expiration dates and card numbers are accurate.

”Any institution that's potentially impacted should do its due diligence on the information that's being published out there to figure out whether or not that it's credible,” Pollino said.

Some security researchers say it would be a waste of the hackers’ time to post false threats.

“I would be extremely surprised if the banks had not been compromised,” said Brett Callow, threat analyst at Emsisoft, an anti-malware software company based in Nelson, New Zealand.

Still, hackers do sometimes exaggerate the amount of data they were able to obtain in an attack.

“They do that because [ransomware victim] companies are often in a state of dazed confusion in the early stages of an attack, all their systems are scrambled and it's really hard for them to work out what data the criminals actually obtained,” Callow said. “So the criminals attempt to use that confusion to their advantage and overstate their hand sometimes. But I've never heard of that being a complete bluff.”

Ransomware groups, like most hackers that try break into bank servers, do it for the money: Verizon’s report found that 96% of data breaches at banks and insurance companies are financially motivated. Community banks may be a special target for ransomware hackers because they tend to have smaller security teams and limited resources to cope with such attacks.

“Like legitimate enterprises, ransomware gangs will continue to use strategies that have proven to be successful,” Callow said. “If attacks on a particular sector have proven to have a better-than-average conversion rate or return on investment, they’ll attack that sector again and again and again and again. The groups are driven by economics, and that makes them somewhat predictable.”

Incident response

When banks determine they have been breached, they are required under most states’ laws to notify every customer whose personally identifiable information may have been compromised. (Personally identifiable information describes combinations of data elements that could identify a consumer, such as name plus Social Security number, or account number plus credit card number.)

In addition to disclosing a breach to affected customers and regulators, a victim bank’s security department has to take many other steps.

“Remediating the incident is a complex, multiweek or multimonth process,” Callow said. “It's a matter of identifying how the attackers got in, closing that door, restoring the systems. That's not easy.”

Callow spoke last week with someone at a U.S. school district that suffered a ransomware attack in October.

“They've still got some systems that they haven't been able to fully restore,” Callow said. “It's a nightmare. Lots and lots of companies underestimate just how difficult recovery is going to be.”

And someone in the company has to make the difficult decision of whether to pay the ransom the hackers demand.

The CEO of Colonial Pipeline opted to pay. He told The Wall Street Journal he authorized a $4.4 million ransom payment “because executives were unsure how badly the cyber attack breached its systems and how long it would take to bring the pipeline back.”

But according to Callow, the surrounding circumstances were unusual. Most ransomware payments to DarkSide are made in the cryptocurrency XMR, which is hard to trace. The group does accept payments in bitcoin, but it adds an extra 20% fee on top of the ransom demands to do so.

Colonial, which brought in help from the security firm Mandiant, paid its $4.4 million ransom in bitcoin, which means the company paid about $500,000 more than it needed to, Callow said.

After the payment was made, DarkSide’s website came down and the money that was put in DarkSide’s wallet was redirected elsewhere.

Will the government help?

The government tends to take punitive action around data breaches on banks, including levying large fines. For instance, Capital One suffered a data breach in July 2019 in which data on 100 million customers was compromised. More than a year later, the Office of the Comptroller of the Currency ordered the company to pay an $80 million fine, citing its “failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”

Pollino is hopeful that an executive order signed by President Biden on May 12 will end up helping banks hit with ransomware and other data-breach attacks. It will set up a national Cyber Safety Review Board that will review and assess threat activity, vulnerabilities, mitigation activities, and agency responses to cyber attacks.

“That will give us not only better tools to completely understand breaches, but also be able to effectively respond to them with more resources, especially if you're talking about smaller institutions or smaller companies that don't have the forensics and response resources that larger companies have,” he said.I'm cautiously optimistic that the recent presidential executive order will be positive for the cybersecurity community and hopefully lead to some more investments in security.”

A common view is that the only way to stop the spread of ransomware is to prevent victims from paying the ransom. While that could cause some short-term pain for the company under attack, the thinking is that if firms stop paying, hackers would have no financial incentive to commit breaches and demand ransom.

“I think the only solution is to prohibit the payment of ransomware,” Callow said. Countries would need to enact laws making such payments illegal.

“These attacks happen because they are profitable,” he said. “If you make them unprofitable, they will very quickly stop. That's an extreme solution, but there would be long-term benefits. And the alternative is, public and private sectors continue to be attacked by ransomware criminals who are getting bolder, more brazen and more accomplished in their attacks with each passing day.”

For reprint and licensing requests for this article, click here.
Cyber security Ransomware
MORE FROM AMERICAN BANKER