BSP to banks: Don't pay ransomware attackers

MANILA, Philippines – In the wake of a massive global ransomware attack, the Bangko Sentral ng Pilipinas (BSP) instructed banks and other financial institutions not to pay or communicate with cyber criminals.

Incoming BSP Governor Nestor Espenilla Jr on Tuesday, May 16, issued Memorandum No. 2017-018, laying down guidelines on how BSP-supervised financial institutions (BSFIs) should manage ransomware and other malware attacks.

Espenilla, current BSP deputy governor for supervision and examination, said incidents involving cyber-extortion using ransomware and other types of cybercrimes should be promptly reported to the central bank.

"If infected by a ransomware, BSFIs should refrain from paying or communicating with the malicious actor as this does not guarantee that ransomed or encrypted files will be released," he said.

Espenilla pointed out paying ransom only encourages cyber criminals' illicit activities.

"BSFIs should proactively monitor the cyber-threat environment through robust, timely, and actionable threat intelligence. Additionally, ransomware attacks should be covered by an established and well-tested incident response plan and procedures," he added.

According to him, BSFIs should provide multiple layers of defenses by implementing appropriate controls at the host, network, and endpoint levels to prevent and detect malicious codes.

He explained banks should apply the "least privilege" principle in granting access to all systems and services as well as prohibit the download and use of unauthorized files and software.

Other preventive measures include the installation and timely update of anti-malware software provided by reputable vendors, periodic vulnerability scanning, and effective patch management procedures for all critical systems and applications.

Espenilla said banks and financial institutions might need to seek assistance and cooperate with law enforcement authorities for prompt resolution of cybercrime cases, especially if these involve public safety and security.

A massive cyberattack last week had affected computer systems in over 100 countries, shutting down networks at hospitals, banks, and government agencies. (READ: What we've learned from the WannaCry ransomware attacks)

Espenilla said that while Philippine institutions were not affected, BSFIs should continuously assess the cyber-threat landscape and adjust their information security programs, policies, processes, and capabilities accordingly.

"None so far. We've previously alerted the system to danger. I am sure defensive initiatives have minimized the risk," Espenilla said.

"[But] with the alarming proliferation of ransomware, BSFIs are at an increased risk of loss or unauthorized disclosure of proprietary or sensitive information, operational disruptions, financial losses incurred to restore affected systems, and reputational damage," he added.

The BSP also said banks should ensure that adequate backup and recovery procedures for critical systems and data are in place to mitigate the potential catastrophic impact of ransomware attacks. – Rappler.com