None of the banks or financial institutions in the Philippines has so far been attacked successfully by ransomware, but the central bank warned they must stay highly vigilant and be able to put up strong defense against the latest globally proliferating cyber extortion tactic.
Ransomware uses malicious software to hold a user’s computer system hostage until a ransom is paid.
Ransomware attackers usually demand ransom in Bitcoin due to the perceived anonymity of transacting with the cryptocurrency. The malicious software locks a user’s computer for a limited time, after which the ransom increases in price or the user’s data is destroyed.
Agence France-Presse reported that more than 200,000 computers in 150 countries have been hit over the weekend by ransomware attacks, described as the largest ever of its kind.
It said since Friday, banks, hospitals and state agencies have been among the victims of hackers exploiting vulnerabilities in older versions of Microsoft computer operating systems and demanding payment in the virtual currency Bitcoin.
Incoming Bangko Sentral ng Pilipinas (BSP) Governor Nestor Espenilla Jr. said it is possible certain financial institutions in the Philippines are on a target list, but so far not one of them has been successfully attacked.
“That’s another matter. None so far. We’ve previously alerted the system to the danger. I’m sure defensive initiatives have minimized the risk,” he said in a text message to reporters on Tuesday.
In a memorandum, Espenilla told the BSP-supervised financial institutions (BSFIs) that given the alarming proliferation of ransomware, they stand a higher risk of loss, or unauthorized disclosure of proprietary or sensitive information, operational disruptions, financial losses incurred to restore affected systems and reputational damage.
Due to the perceived anonymity of threat actors in perpetrating ransom payment schemes, ransomware remains a viable threat that is expected to evolve into sophisticated and destructive forms, such as crypto-ransomware, he said.
With this, web-based applications, including legitimate cloud-based services, are particularly vulnerable to this type of threat, he explained.
“In this regard, BSFIs are advised to heighten their vigilance and ensure that robust protection against ransomware is in place. BSFIs should provide multiple layers of defenses by implementing appropriate controls at the host, network and endpoint level to prevent and detect malicious codes,” Espenilla added.
BSFIs are admonished to apply the “Least Privilege” principle in granting access to all systems and services and prohibit the download and use of unauthorized files and software (for example, executable files and mobile codes), and access to doubtful websites, according to the memorandum.
The BSP also mentioned other preventive measures such as the installation and timely update of anti-malware software provided by reputable vendors, periodic vulnerability scanning and effective patch management procedures for all critical systems and applications.
To address the more sophisticated forms of ransomware, BSFIs were urged to consider adopting advanced security solutions such as signature-less anti-malware solutions capable of analyzing abnormal behavioral patterns in network and system traffic flows.
Another security application which may employed, the memorandum said, was whitelisting, which allows only specified programs to run, and/or sandboxing technologies, which can inspect incoming traffic such as e-mail attachments without compromising the production environment.
“To mitigate the potential catastrophic impact of ransomware attacks, BSFIs should ensure that adequate back-up and recovery procedures for critical systems and data, including periodic testing to check the integrity thereof, are in place,” it said.
The memorandum pointed out that even back-ups are not immune to attacks, thus BSFIs are urged to consider supplementing existing practices with cloud-based back-ups and/or back-ups using removable media or air-gapped facilities.
“Alongside these controls, BSFIs should strengthen user education and awareness to include employee safe-practice procedures when using the email service and browsing the web,” it said.
What to do when infected
If infected by a ransomware, the BSP said, BSFIs should refrain from paying or communicating with the malicious actor as this does not guarantee that ransomed and/or encrypted files will be released.
“Instead, paying ransom only encourages cyber criminals’ illicit activities. BSFIs should proactively monitor the cyber-threat environment through robust, timely and actionable threat intelligence,” it said.
Additionally, it said ransomware attacks should be covered by an established and well-tested incident response plan and procedures.
“Finally, incidents involving cyber-extortion using ransomware and other types of cyber-related crimes should be promptly reported to the BSP in accordance with Subsection X192.4 of the Manual of Regulations for Banks (MORB), as revised by Memorandum No. M-2016-014 dated 02 November 2016 and Section X177.8 of the MORB,” it added.
In some instances, BSFIs may need to seek assistance and cooperate with enforcement authorities for prompt resolution of cybercrime cases, especially if these involve public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations, the regulator said.
Above all these recommendations, BSFIs are also called upon to continuously assess the cyber-threat landscape and adjust their information security programs, policies, processes, and capabilities accordingly.
“BSFIs may refer to leading security standards and frameworks set by standard-setting bodies, including specific inputs from their third-party service providers and security vendors, to effectively prevent, detect, respond to, and recover from these types of attacks,” the BSP added.