By Monica C. Meinert
Unfortunately for banks and businesses, ransomware is all the rage these days.
These crippling attacks—through which cyber criminals install malware that encrypts data on computers or mobile devices and renders it useless until a ransom is paid—have been observed around the globe, and have grown in scope and sophistication in recent months. Anyone can be a victim, from individuals to global corporations, and criminals have grown increasingly focused on targeting critical infrastructure entities like oil pipelines, food processors, hospitals and municipalities.
Recent high-profile ransomware attacks included an incident affecting the Colonial Pipeline—a major supplier of fuel to the East Coast—which triggered widespread gas shortages. Another involved an attack on JBS Foods, the world’s largest meat processor, forcing temporary closures of all beef plants in the U.S. Both of these attacks were thought to have been perpetrated by state-sponsored Russian hackers. The Russian invasion of Ukraine has only amped up increased concerns about the potential for crippling ransomware hacks.
“Those attacks demonstrated that ransomware was not just a nuisance, but present systemic risk when the very systems being held for ransom are the critical infrastructures that our nation’s economy relies upon in order to function,” says Juan Zarate, global co-managing partner and chief strategy officer at K2 Integrity, adding that ransomware has become the “issue du jour” for regulators and banks alike. Incidents like the Colonial Pipeline or JBS Foods attacks have “really quickened the pace of attention to threats from ransomware and the financial ecosystem that goes along with it,” Zarate told attendees at the ABA/ABA Financial Crimes Enforcement Conference in January. “Ransomware and the dynamics around the threat and risk have really become a center of gravity for how we think about cyber threats and cybersecurity.”
Convergence with crypto
The rising threat of cybercrime has converged with the rapidly evolving cryptocurrency landscape, which has grown larger and more legitimate over the past few years—in fact, the market cap of all cryptocurrencies at the start of 2022 was hovering around $2 trillion, up from $345 billion in 2020.
Cryptocurrencies have become an important conduit for criminals to move illicit funds, and it’s not uncommon for hackers to demand that payments be made using cryptocurrencies. An analysis of Suspicious Activity Report filings conducted by CipherTrace (a cryptocurrency intelligence company that was recently acquired by MasterCard) found that as 2021 came to a close, more than $4 billion in cryptocurrencies and other digital assets had been lost due to hacks and fraud, and almost $1 billion had been lost due to ransomware.
Essentially, “you have a convergence of cyber-related risk and threat through ransomware and vulnerabilities tied to the crypto economy for illicit purposes all coming to a head,” Zarate explains, which has led regulators and law enforcement agencies—including the Financial Crimes Enforcement Network, the Federal Bureau of Investigation and Office of Foreign Assets Control—to issue a number of advisories warning banks of these growing threats and ramping up sanctions and reporting expectations.
(That’s not to say that cryptocurrencies provide a one-sided advantage for bad actors, however. In fact, Zarate adds that the open architecture blockchain ecosystems could actually allow for greater traceability of illicit funds by law enforcement, or a greater ability to claw back payments that have been made in a ransomware context, as was the case in the Colonial Pipeline incident: in June 2021, the Department of Justice announced that it was able to recover the majority of the bitcoins that Colonial Pipeline paid as ransom.)
While many banks have not yet begun offering cryptocurrency products or services to their customers directly, CipherTrace CEO Dave Jevins cautions that even “if your bank isn’t doing crypto directly, it’s being done to you”—meaning that bank customers are engaging in the crypto and virtual asset markets, potentially exposing the bank to greater risk and fraud. Additionally, Jevins notes that “over half of cryptocurrency exchanges . . . have extremely weak or nonexistent know-your-customer procedures. This creates a risk scenario that banks need to understand.”
When clients become ransomware victims
This convergence of threats and vulnerabilities leaves banks with a real tactical challenge, Zarate says. “Institutions have to deal with the question of whether they understand what attacks have taken place, where vulnerabilities are, what data has been taken, what the perpetrators may have—and then the cost-benefit analysis of whether putting those systems offline or at risk is worth it,” he says. “All of this resolves to greater cyber hygiene, greater adherence to [National Institute of Standards and Technology] protocols [and] greater devotion to ensuring that the basics of cybersecurity are being done so you’re not left with the very hard question: do you pay if you’re attacked?”
Beyond being concerned about the bank itself falling victim to ransomware, banks also have to be prepared to respond if they suspect that their customers are making ransomware payments to criminal actors.
These transactions can be hard to identify—particularly if the ransomware payments are exiting the bank and moving through a third-party, like a cryptocurrency exchange—but Neil Eisenstadt, assistant general counsel for global financial crimes at JPMorgan Chase, notes that “there are some circumstances in which financial institutions are uniquely positioned to learn about a ransomware attack against a client, depending on what kinds of products or services you offer your customers.”
For example, clients using online payments products and services may reach out to the bank to have those services disabled if they’ve been subject to a ransomware attack. Given that, Eisenstadt recommends training customer-facing bank staff on how to engage clients in a “frank discussion” of the factors motivating such a request. “A lot of times, with the right approach to that conversation, [bankers] will be able to elicit if the client is subject to a ransomware attack.” His bank provides talking points to help them communicate with clients and explain that it’s in their best interest to inform the bank if they’re contemplating making a ransomware payment. “We want to at least give the client some comfort at the outset that our interests are typically aligned with theirs, and we have a joint interest in trying to get comfortable if the client is even considering making a ransom payment.”
Having a playbook prepared in advance to help guide the bank’s response to various ransomware scenarios can also be helpful. Eisenstadt recommends that banks have go-to response plans ready to address a scenario where a customer is considering making a payment, and one in which the payment has already been made.
In the first case, a bank will likely need to make a decision in a short amount of time about whether or not to allow the payment to go through, observes Sharon Cohin Levin, a partner at Sullivan and Cromwell, so “it’s best to have a playbook so you’re not caught off guard and scrambling to figure it out.”
Levin adds that banks should carefully review their obligations for notifying their regulators and law enforcement in the event they suspect a customer may be a victim of a ransomware attack. “Regardless of the size of your institution, you’re going to encounter this issue,” says Levin. “Everything you can do in advance to prepare—to have that playbook, to know how to respond—is going to help your institution, and it’s also going to help your customer. They’re in a crisis, and you’re going to be working with them to find the most effective way to deal with that crisis, consistent with your legal and regulatory requirements.”
