How Financial Institutions Can Fight Back Against Ransomware

Author: NICSA

On #WebinarWednesday, NICSA members learned how a far-reaching defense strategy can protect financial institutions against cybercrime.

Ron Plesco, Principal, Cyber Response Services at KPMG, moderated the Oct. 11 discussion, which helped listeners identify ransomware, assess risks and strike a balance between providing digital opportunities to shareholders and protecting them from cyber attacks (NICSA members can replay an archived version of the webinar here. Panelists included Brian Fay, Manager, Threat Investigation-Hunting Team at U.S. Bank, and Nick Sherwood, Vice President, Cybersecurity at OppenheimerFunds.

Ransomware is infectious software that encrypts victims’ data and/or systems, making them unreadable unless a ransom is paid. The process follows a basic framework: (1) Installation; (2) Contact; (3) Encryption; and (4) Extortion.

“Actors” vary by motivation. Hacktivists operate around a political or social agenda, nation states seek to compromise target governments, organized crime groups attempt to monetize data, corporate espionage criminals steal information to gain a business advantage, and malware developers sell the malicious software itself.

The panelists generally advised against paying ransom, as these payments are typically used to fund other criminal enterprises.

Financial institutions face an array of potential risks, including data loss, operational impacts, regulatory fines and reputation loss.

To assess whether your institution is prepared for an attack, the first step is identifying those systems (often referred to as “crown-jewel systems”) that contain data that are most valuable and most important to protect. To prepare for the worst-case scenario that critical data is encrypted, firms should determine workarounds with critical analysis of risk models.

Panelists suggested that firms safeguard shareholder data through high-level security measures. Firms should focus on awareness and training as well as patch updates and automatic anti-virus/anti-malware updates. It’s also important to implement the principle of least privilege by looking at your local administrative rights on work stations.

Our experts explained that measures can be taken to detect data integrity attacks before they occur, pointing to third-party vendors utilized to proactively monitor for breaches. In addition to monitoring, it’s important to train staff to report suspicious activity. Participants were encouraged to ensure they have a way for both customers and employees to report malicious activity.

Should firms suspect something is awry, firms can file complaints with the Internet Crime Complaint Center (IC3) by visiting


NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560