Pub. 12 2021 Issue 4

wvbankers.org 8 West Virginia Banker I t’s the message a CEO never wants to receive: “We’ve got your data and you need to pay up if you want it back.” Unfortunately, that message is landing in CEO inboxes increasingly often, as ransomware attacks ramp up in the U.S. In just the first six months of 2021, the Financial Crimes Enforcement Network identified $590 million in ransomware-related Suspicious Activity Reports – a 42% increase from the 2020 total of $416 million. And FinCEN reports that we could be on track to see a higher transaction value for ransomware-related SARs than we’ve seen in the past 10 years combined. Ransomware attacks – which use malware to encrypt files on a computer or mobile device and render it unusable until a ransom is paid – present companies with an unsavory dilemma: pay a ransom to a criminal actor, or lose a potentially devastating amount of data, which could seriously compromise business operations. These kinds of attacks are evolving quickly in sophistication and scope, and virtually any business could be targeted at any time. What’s perhaps most concerning is that criminal actors are increasingly targeting critical infrastructure entities, as we saw in the Colonial Pipeline incident earlier this year that caused a shutdown of a major East Coast oil provider. They’ve also begun branching out into “extortion-ware,” in which the hacker not only encrypts sensitive data but then goes the extra step and threatens publicly to release it unless the institution complies with their demands. Given the potential operational and reputational consequences of these types of cyberattacks, banks need to have a plan in advance for how they’ll respond. There are a number of factors to consider. First, while most companies choose to pay – cyber insurer Marsh McLennan reports that more than 60% of ransomware victims pay the requested ransom – it’s not always guaranteed that the encrypted data will be fully restored. In fact, one survey of more than 5,000 I.T. decision-makers worldwide found that about half of those who did pay a ransom only recovered 65% of their compromised data. Twenty-nine percent said they only recouped about 50%. And even if a company’s ransom hacker unlocks all the encrypted data after the ransom is paid, the company will still need to take steps to clean that data and ensure it can’t be easily re-encrypted. On the other hand, there are also several good reasons not to pay a ransom. There are the societal costs to consider – paying the ransom could perpetrate attacks on other institutions or To Pay or Not to Pay: Ransomware Attacks Offer an Unsavory Choice By Rob Nichols, American Bankers Association WASHINGTON UPDATE