Bay Area Credit Union Struggles to Recover After Ransomware Attack

Tens of thousands of customers of Bay Area credit union Patelco remain without access to their accounts, following a crippling ransomware attack on the 88-year-old financial institution.

The June 29 attack forced the credit union to shut down several of its key banking systems in a measure to contain damage and remediate the issue.

Restoration Could Take Days

In a July 2 update, CEO Erin Mendez said Patelco is currently working with third-party cybersecurity experts to restore affected systems expeditiously. During the process it is likely that customers could experience intermittent outages at Patelco's ATMs as well. "This is normal and to be expected during our recovery process," Mendez said. "Access to shared ATMs will not be interrupted as part of this process and they remain available for cash withdrawals and deposits."

Patelco boasts $9 billion in assets and 450,000 members nationwide, and ranks among the larger of the more than 4,500 federal insured credit unions in the US. Though it primarily serves communities in the Bay Area, San Jose, and Sacramento, Patelco's customers includes employees of more than 1,100 businesses throughout the country.

The ransomware attack impacted the credit union's online banking systems, and systems supporting its mobile app services and call center. Customers were left without access to core electronic transactions such as direct deposit, transfers, balance inquiries, and payments. "Our teams are working around the clock with top-tier cybersecurity experts to assess the situation and to restore service to you," Patelco said. "Unfortunately, we are unable to provide an ETA on when those systems will be running as expected."

A Common Pattern

Patelco's travails — and the resulting impact on customers — are typical of major ransomware incidents. Numerous reports, including one from Cigent and another from Statista, have pegged the average duration of downtime after a ransomware attack as ranging from 21 to 24 days. That's marginally better than a couple of years ago, when it took ransomware victims an average of one month to recover from an attack. "Whether you pay the ransom and manage to decrypt your original data or restore from backup, recovery can be a lengthy process," Cigent noted in its report. "They involve rebuilding systems, addressing security vulnerabilities, and regaining stakeholder trust, with recovery duration varying based on the attack’s complexity, scope, and the affected organization's preparedness."

Smaller organizations often tend to get hit much harder than large, better resourced organizations. A new study by Orange Cyberdefense showed that organizations with fewer than 1,000 employees are four times more likely to experience a cyber-extortion attack compared to medium and large businesses. A lot of it simply has to do with the fact that there are many more small businesses than large ones. So, when attackers launch opportunistic attacks, more smaller organizations get hit than large ones, the study found.

Another complicating factor is the growing tendency among ransomware actors to try and extort victims by stealing data from them and threatening to expose it. Many extortion attacks these days in fact involve data theft only and not data encryption via ransomware. As the UK National Cyber Security Centre (NCSC) recently noted, ransomware victims these days need to assume their data has been stolen as well. "In the 'least-worse case' scenario, only system data (that is, data involved in the operation of a victim's IT processes) will be stolen," the NCSC said. "In the worst case, extremely sensitive personal information (such as medical or legal details) is exfiltrated."

A case in point is Memphis-based Evolve Bank & Trust, which recently was the victim of an attack by the LockBit ransomware group. The threat actor encrypted some of Evolve's systems and exfiltrated a customer database, which it then leaked when the bank refused to pay the demanded ransom.

Patelco has not disclosed the identity of the group behind the ransomware attack on its systems. And no threat actor has claimed responsibility for it thus far. So, it's unclear if the credit union will need to deal with the prospect of having both customer and other sensitive data being leaked as well.