Articles & E-Books


Ransomware: Too close for comfort

May 04, 2022

Discussion at Wipfli’s recent Advanced BSA workshop revealed several financial institutions, including their clients, have been exposed to ransomware incidents.

The potential for any institution — whether large, small, metropolitan or rural — to be targeted for ransomware is closer than you may think and can do great damage to your internal processes and the overall U.S. economy.

What is ransomware?

Ransomware is the act of weaponizing technology to cripple critical parts of the U.S. economy and financial system. Think of how a ransom demand is the typical goal of a human kidnapping and apply that same idea to a demand for large payments through hijacking, freezing and controlling computer mainframes, operational systems and confidential data.

The incident will also most often affect the wellness of other stakeholders, including consumers, the market, and even families of company employees. Financial institutions and businesses are targeted for the main purpose of freezing operations until payment is made, with the ransom target hoping that operations will resume without severe impact to their customers and services.

The rise of ransomware as a service

Individuals or organizations that facilitate ransomware, referred to as “actors,” have been responsible for incidents bringing down healthcare systems, damaging energy operations and creating gasoline shortages. The actors are in it purely for personal or monetary gain.

Transnational criminal organizations, also described as “global level mafias,” are known to attack large and international companies for a larger financial return. These organizations have even created ransomware-as-a-service (RaaS) as a business model to offer a user-friendly “kits” to outsource to other actors that will carry out the ransomware attack for a percentage of the payment. “Work smarter, not harder” is the new motto of these organizations.

Transnational criminal organizations are on the rise and have a hand in many types of financial crimes that land them on FinCEN’s list of BSA/AML “Priorities” published in June 2021. Ransomware attacks are increasing in concern for financial institutions because they play such a critical role in processing payments, making funds transfers and providing other services that their customers rely on to conduct business.

A recent ransomware event targeted a business that provided technology support for numerous other businesses. As a result, a large group of businesses were brought down by the attack in one swoop. While the actors in this event targeted one business, the end result halted operations for many other businesses, thus damaging an entire industry.

Why you shouldn’t pay ransoms

FinCEN and the U.S Treasury’s Office of Foreign Assets Control (OFAC) collective agree that institutions and businesses should not pay ransomware demands, but rather focus on strengthening controls and defenses against actors to help prevent them from gaining access to operational systems. Paying a ransomware demand creates further issues, such as:

  • Payments made to sanctioned persons or to sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States
  • Payment simply encourages, perpetuates and incentivizes more attacks on the business itself or others
  • There is no guarantee, and it is highly unlikely, that actors will simply give the access or data back when paid
  • Payment may risk violating OFAC regulations as many known actors and transnational criminal organizations are designated, sanctioned parties.

What your institution can do instead

Your financial institution should assess the potential for a ransomware attack on the institution and implement preventative measures to thwart an attack, not only for your own operational defenses, but also to recognize when your own customer is attacked. If a customer urgently requests to send funds to a suspected ransomware actor, your institution should assist and offer alternative solutions, such as contacting law enforcement.

It should be noted, virtual currency is the most comment payment for ransomware, so your institution should be aware of unusual requests to send or convert large sums of money to a virtual currency exchanger.

FinCEN encourages all institutions to start evaluating the associated risks for a ransomware event and update the BSA/AML risk assessment accordingly. As part of the BSA/AML “Priorities,” ransomware will be on each respective regulatory agency’s radar, with preventive measures being implemented to protect our financial system and the businesses that survive on the critical services provided by financial institutions.

In the event of a ransomware incident, FinCen and OFAC instructs all financial institutions to contact law enforcement, FinCEN and the U.S. Treasury immediately to obtain assistance with navigating through the attack without paying the ransom.

How Wipfli can help

If you need assistance implementing more effective measures to help prevent ransomware, contact Wipfli. Our experienced cybersecurity can help you design a resilient security strategy that proactively protects your business and customers without sacrificing flexibility or competitiveness. Learn more on our cybersecurity page.


Stephanie Jennings, CRCM, CCBTO
View Profile