Addressing Ransomware And Other Threats

(l-r) Debra Still, CMB, John-Thomas Gaietto, Holly Easter Kelley, Scott Riddick, Andrew Ward.

AUSTIN, TEXAS–Ransomware attacks are a growing threat in the financial services sector, computer security specialists said here at the Mortgage Bankers Association’s 2019 Annual Convention & Expo.

Scott Riddick, Senior Special Agent with the U.S. Secret Service, said ransomware is a computer virus designed to evade detection that invades a computer system. “Once infected, the ransomware will encrypt files on the network to require a special key to unlock them,” he said, noting a hacker could “kidnap” a firm’s technology or databases and demand a ransom to release them. “The demands can vary from hundreds of dollars up to millions,” he said.

Riddick compared a corporate computer system to a medieval castle surrounded by a stone wall–similar to a computer network’s firewall–to protect the content inside. He said an invader could attack the wall in a frontal assault, or it can trick someone inside the castle or inside the computer network to “lower the drawbridge” by clicking on a malicious email attachment or visiting a malicious website that releases a virus.

One recent trend is inclusion of a “worm” within the ransomware virus that enables it to traverse laterally across the network to infect more systems, Riddick noted. “In our castle, once the drawbridge is down, the attacker can run from building to building,” he said.

Andrew Ward, Chairman of CyFIR, said the number of ransomware attacks doubled in 2018 compared to 2017. “It will likely double again this year compared to 2018,” he said. “The thing that strikes me is how quickly these attacks can go through a system. Within an hour.”

Ransomware hackers often attack a firm’s backups first to eliminate that fallback, Ward said. “You should have backups off site that you can use to get up and running again,” he said. “The time it takes to bring that up and sync it with where you were before the attack could take weeks.”

Panel moderator Debra Still, CMB, President and CEO of Pulte Mortgage LLC, said MBA recently released a white paper, The Basic Components of an Information Security Program, to help firms understand and prepare for information security threats.

The best defense against a potential attack is to game-plan one, said Richey May Technology Solutions Executive Director of Cybersecurity Services John-Thomas Gaietto. “Companies need to prepare not for if an attack happens but what to do when one occurs,” he said. “Run through the scenario. For example, discuss when will you contact law enforcement and your insurance company. Think through these steps now to be prepared for if or when an incident occurs.”

Ward said relatively simple things like training your firm’s personnel can be a low-cost but highly effective defense against ransomware attacks. And be sure to find and strengthen any weaknesses in your network. “Many attacks occurred because firms did not do their patching of their network,” he said. “We regularly go to the doctor for a checkup; you should do the same with your network. Checking the system and taking care of any issues regularly is a good practice. As I said, when an attack occurs, it happens fast, so you need detection software so you can see when an intruder is in your system so you’ll know as soon as anything happens.”

Gaietto recommended having so-called canary files that act as early-warning devices–similar to canaries in a coal mine–if they see things becoming encrypted. “We see companies moving toward that,” he said. “You need to think about buying tools like that that are managed. There are a lot of services out there you can manage that can have enterprise-size control for a good price.”

Roughly half of the companies across business sectors hit with ransomware paid the ransom to end the attack, Gaietto said. “But each organization must make that decision for themselves,” he said.

Riddick said the city of Baltimore recently suffered a ransomware incident. “The city spent $18 million to bring everything back up; the initial ransom demand was $100,000,” he said. “Of course, there’s no guarantee they would have gotten the key [if they had paid the ransom]. But when your business is down and customers are screaming and you’re losing money, you need to look at how easy is it to get back on your feet, that’s a decision you might have to make.”