New York Ransomware


Today, Superintendent Linda A. Lacewell announced that the New York State Department of Financial Services has released new guidance regarding ransomware attacks. The guidance identifies cybersecurity measures that significantly reduce the chance of a ransomware-related attack. Companies should implement these controls whenever possible.

“As ransomware attacks continue their surge, implementing cybersecurity precautions is crucial to protect consumers, business lines, and customers,” Superintendent Lacewell. “Cybercriminals not only extort individual companies but also threaten the stability of financial services. It is up to us all to stop ransomware attacks.

Ransomware attacks have become more sophisticated, frequent, and widespread. In 2020, ransomware attacks were reported to have increased by 300%. The development of more efficient hacking tools and ransomware tools has been funded by larger extortion payments. This has enabled hackers to increase their ranks. Therefore, the FBI and the Department recommend that companies refrain from making ransomware payments if their networks are compromised.

DFS examined ransomware incidents reported to it by its regulated entities in the past year and a half. It found that hackers use the same pattern to enter victim’s networks, gain administrator privileges once inside, then use these privileges for ransomware, bypass security controls, steal data and disable backups.

DFS encourages all regulated entities and organizations to be prepared for ransomware attacks by taking measures like:

  • Training employees in Cybersecurity Awareness and Anti Phishing
  • Use a Vulnerability Management and Patch Management Program.
  • Use strong passwords and multi-factor authentication
  • Protect Credentials for privileged accounts by using Privileged Access Management
  • Monitor and Respond to Detect and Contain intruders
  • Test and Segregate Backups to Ensure Critical Systems Can be Restored In the Event of an Attack
  • A Ransomware-Specific Incident Response Plan is developed and tested by senior leadership

This guidance is a reflection of DFS’s ongoing commitment to cybersecurity improvement and sharing information to protect consumers as well as the industry. DFS also issued multiple alerts concerning ongoing cyber threats. These include the SolarWinds Attack and weaknesses in Microsoft Exchange Server. Additionally, DFS identified an ongoing hacker campaign.

DFS’s Cybersecurity Regulation, which was the first-in-the-nation, went into effect in March 2017. DFS’s Cybersecurity regulation has been a model for many other regulators including the U.S. Federal Trade Commission and multiple states. It was also adopted by the National Association of Insurance Commissioners and the Conference of State Bank Supervisors. DFS also created a Cybersecurity Section in 2019 to oversee all aspects of its Cybersecurity Regulation throughout New York’s financial sector.