As I discussed in a recent blog post, the U.S. Federal Financial Institutions Examination Council (FFIEC) issued an alert in early November around the sharp rise (both in number and severity) of cyber crimes against financial institutions that involve extortion. The attacks are being committed by cybercriminals who hack the computer systems/databases of banks and other financial institutions and hold sensitive information or systems access “hostage” until a sum of money is paid.
The attack is usually executed by infecting the unsuspecting user’s computer system with ransomware, usually delivered via a Trojan horse. This type of malware seizes control of and blocks access to files, programs and operations of a victim’s computer system by encrypting the system files. The cybercriminal then displays a message on the infected computers demanding a payment be made, and sometimes they even threaten to destroy all of the files if the victim attempts to uninstall or otherwise remove the malware without paying the ransom.
The ransomware screens often attempt to trick the victim into thinking that the attack is the result of some official government sanction. For example, it may inform the victim that they have done something bad, and until a “fine” is paid, the computer will be locked. The screen often resembles something from law enforcement, by using images such as the official crest of the FBI, Department of Homeland Security, or local police department. The “fine” victims are meant to pay does not go to the authorities - instead it goes to the hacker’s untraceable bank account, most likely in Eastern Europe.
The latest attacks involved a newly discovered strain of ransomware called Linux.encoder, which attempts to infect Linux-based operating systems and files for web pages. The ransomware waits for administrator privileges to run, and when it does, it moves to the server and encrypts any file type, image, page, script and source code it can find. This malware leaves a text file detailing how victims can pay the single Bitcoin ransom in exchange for a key to decrypt the files.
Ransom demands can range anywhere between $100-$300 dollars, but sometimes can go as high as $5,000. Cybercriminals behind the attack often demand the payments be made using virtual currency, or that a wire transfer be made to an anonymous overseas bank account – and there is no guarantee that the hacker does not simply destroy the computer files anyway. Many industry analysts estimate that fraudsters can make upwards of $400,000 per month using ransomware. The easy money made from this cybercrime has led to its proliferation, especially in the banking and financial sectors.
But ransomware is not the only method that cybercriminals use to extort money from financial institutions. Other tactics include a denial of service (DoS) attack, the theft of sensitive business and customer information to extort payment or other concessions from victims may also be employed. This type of cyber attacks continue to grow very rapidly, with the number of new ransomware samples rising 58% in the second quarter of 2015. McAfee Threat Labs attributes the increase to fast-growing new families of the malware, such as CTB-Locker, CryptoWall, and others. The total number of ransomware samples grew 127% in the past year.
Rather than providing specific compliance guidelines on potential new regulatory expectations, the FFIEC issued the alert to help financial institutions mitigate specific risks related to the threats associated with these types of cyber attacks. The FFIEC statement also presented a number of steps that financial institutions should take to strengthen their security posture. To learn more about the recent cybersecurity assessment tool (CAT), including ways to establish a process for identifying fraud, please register to attend our upcoming webinar here.