Ransomware and credit unions: Before, during & after an attack

It’s no secret that ransomware attacks are on the rise, with an attack occurring every 10 seconds since the beginning of 2020. The U.S. Treasury has tied $5.2 billion in Bitcoin transactions to ransomware payments and the average ransomware payment climbed 82% to a record $570,000 in the first half of 2021 from $312,000 in 2020.

Credit unions continue to be prime targets due to the highly confidential nature of the data they possess, the breaching of which can result in millions of dollars in fines and penalties. As bad actors continue to evolve their methods — and victims continue to pay up — credit unions must be proactive and prepared regarding their cybersecurity strategy.

The following tips can help you prepare and respond before, during, and after a ransomware attack.

Before an Attack

Have an incident response plan (IRP) in place

This is foundational as the IRP provides instructions to help your cyber team detect, respond to, and recover from a security incident by covering specific response actions based on the type of security incident.

Build an incident response (IR) team

Build your internal CIRT (cyber incident response team) and define clear rules and responsibilities to execute your IRP. If you do not have the internal staff to manage a ransomware attack, consider identifying an IR partner to keep on retainer.

Capture the forensics chain

Credit unions are heavily regulated, so it’s even more imperative to ensure you have the technology and process in place to maintain a sound cyber incident forensics chain that will help to determine notification requirements and the impact of the incident.

Conduct tabletop exercises

Conduct incident response tabletop exercises at least annually to test your plan and support a seamless response.

Maintain a modern backup strategy

There is a big difference between having backups and having a backup strategy supported by modern technology that enables rapid recovery as well as prevents ransomware from encrypting the backups.

During an Attack

Isolate

Ransomware is built to spread quickly from machine to machine, so it’s critical to stop the spread as soon as possible.

Contain

Although instinct may say “pull the power cord,” ensure your employees know not to do this. Instead, isolate the machine(s) to prevent communication on the network. Once the attacker’s access is lost, it prevents them from executing anti-forensic actions to cover their tracks and destroy evidence.

Eradicate and recover

Forensic investigation and business restoration generally are conducted simultaneously. Backups are critical here, as they allow organizations to easily recover valuable data and avoid paying the ransom.

After an Attack

Reconnect and restore

Having a Business Continuity and Disaster Recovery (BCDR) strategy in place, informed by a Business Impact Analysis (BIA), helps provide an understanding of the impacts an event like a ransomware attack can have on your credit union and provide an action plan on how to reconnect and restore critical services based on priority.

Document lessons learned

You will likely learn a lot from responding to a ransomware attack, so it’s important to incorporate these lessons to inform updates to and refine organization policies, plans, and procedures for the future.

How prepared is your credit union for a ransomware attack?

70% of financial firms have experienced a cybersecurity incident within the past year. Cybersecurity has officially escalated to the boardroom and become a critical element to the survivability of every credit union, yet most cybersecurity programs are merely a collection of policies and software.

Download our CIO’s Ransomware Checklist for more guidance on preparing for and responding to a ransomware attack, including a bonus incident response tabletop exercise for you to conduct with your team to determine where your organization really stands.