In recent months, ransomware attacks have gained attention and become a top concern across multiple industries. The threat has affected many well-known brands, ranging from cable providers and aircraft manufacturers to mortgage servicers and title insurance companies. Ransomware is a type of malware used to infect computers and encrypt data. Once infected, the ransomware attempts to spread to connected systems. This can include computers accessible on the network, shared drives, and backups. The goal of the attack is to render data and applications unusable for the victim until a ransom is paid.

According to Corvus Insurance, ransomware leak site victims reached a record-high in November: a 39% increase from the prior month and a 110% increase year-over-year. The report suggests the uptick was largely due to LockBit and the CVE 2023-4966 Citrix Bleed vulnerability. The exploit allows threat actors to circumvent password requirements and multi-factor authentication (MFA) to hijack legitimate user sessions for harvesting credentials and accessing data. On November 21, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) also issued this advisory.

For financial services organizations, ransomware attacks can be particularly damaging. In August 2023, real estate brokers and agents in the U.S. suffered from an attack that took 23 multiple listing service (MLS) systems offline. MLS systems are private databases created, maintained, and funded by real estate professionals to help clients buy and sell properties. In November, one of the largest mortgage servicers in the U.S. experienced an outage impacting millions and homeowners were unable to submit mortgage payments. Weeks later, two large title insurance providers in the U.S. and UK were attacked and closing transactions were delayed. In early January, one of the largest non-bank lenders was also attacked.

What are the consequences of a ransomware attack? Depending on the industry, the answer will vary. To understand the scope of impact, consider these two sample customer transactions: An iced latte beverage versus a residential piece of real estate. While the first is likely the smallest purchase a customer may make in a single day, the other may be the largest single purchase they make in their lifetime. If the ice cubes used for making the latte represent data, a real estate financing transaction is an iceberg. The volume of personally identifiable information (PII) involved with buying and selling a home and making monthly loan payments make real estate, mortgage, and title firms highly sought-after targets for would-be attackers.

The Ice Cube

When a national coffee chain is subjected to a ransomware attack, customers are likely to face temporary inconveniences. Systems may go offline. Point-of-sale systems for credit cards may be unavailable until the recovery process is complete. Perhaps loyalty rewards information or some confidential data is exfiltrated. If it is determined that a material breach occurred, the compliance team will act in accordance with state and federal breach notification laws. The impacted organization will notify, within a required timeframe upon discovery of the incident, the attorney general for each state in which affected customers reside. Impacted customers will subsequently receive a notification. If PII is stolen or lost for certain customers, those individuals may be offered free credit monitoring for a designated period.

The Iceberg

For a mortgage lender or title agency experiencing a ransomware attack, the incident response process is similar. However, the downstream impact can have significantly greater consequences. For those in the process of buying or selling a home, closings may be delayed. Outages may prevent appraisers from uploading reports. Title companies may be unable to disburse funds from escrow. Seller proceeds, mortgage payoff amounts, real estate agent commissions, and other payments will be delayed until systems are fully restored. The homeowner may be unable to make their monthly loan payment online. A mortgage servicer may be unable to receive borrower payments.

For most borrowers in the U.S., the mortgage servicer also facilitates the property tax and insurance payments on behalf of the homeowner. For these escrowed loans, the impact of a ransomware incident could disrupt real estate tax payments to counties and payments toward homeowner insurance policy premiums. The extent to which stolen data is used for other purposes beyond extortion, such as identity theft or credit card fraud, may also remain largely undetermined for an extended period.

The real estate mortgage and financing ecosystem depends on moving large sums of money in a timely manner between multiple transaction participants. Whether delayed mortgage payments or delayed real estate agent commissions, the immediate impact of a ransomware incident on a financial services organization can be substantial. A sustained outage could affect loan amortization schedules, interest calculations, and principal balances. To facilitate funding new mortgages, lenders regularly sell loans to government-sponsored enterprises (GSEs) such as Fannie Mae and Freddie Mac. In turn, these GSEs offer mortgage-backed securities (MBS), which consist of a group of mortgages organized to pay interest like a mortgage bond. The mission for these entities is to help provide liquidity and stability to the U.S. housing market. Listed as one of 16 critical infrastructure sectors by CISA, financial services firms play an integral role in ensuring economic stability.

From making their smallest purchase in a single day to the largest single purchase of their lifetime, a customer’s expectations regarding data protection will vary. Leaking a customer’s latte purchase history is not a desired outcome; however, the theft of data containing a borrower’s credit history, income, bank account number, and transcripts of past tax returns is exponentially less preferred. A substandard approach to securing transactions for this segment of the industry can create dangerously high levels of risk. The real estate financing industry plays a vital role in helping individuals achieve home ownership, and customer data protection efforts should be considered accordingly.

Best Practices for Preparation, Prevention, and Mitigation

CISA’s #StopRansomware Guide provides ransomware and data extortion preparation, prevention, and mitigation best practices. Preparation best practices focus on backups, incident response plans, and implementing a Zero Trust architecture. For prevention and mitigation best practices, CISA groups by initial access vectors, such as phishing and compromised credentials. Highlights from CISA’s recommendations include:

  • Maintain Frequent Backups: Encrypt backups of critical data and store them on separate devices inaccessible from a network.
  • Zero Trust Architecture (ZTA): Organizations should consider implementing a Zero Trust architecture to prevent unauthorized access to data and services.
  • Update and Patch Systems: Ensure applications and operating systems have the latest patches and updates. Updates should be obtained directly from vendor sites rather than clicking on email links. Enable automatic software updates and do not use end-of-life software.
  • Email: If you are unsure whether an email is legitimate, CISA recommends verifying the email’s legitimacy by contacting the sender directly.

Secure Financial Futures with Entrust

From encryption to identity and access management, Entrust offers a range of solutions financial services firms are leveraging as part of their overall risk-mitigation best practices.

  • Entrust nShield Hardware Security Modules (HSMs) provide data security across devices, processes, platforms, and environments. Application-level encryption can be policy-based and geared to specific data protection requirements. Entrust nShield HSMs are available in a variety of hardware configurations as well as an nShield as a Service offering.
  • Entrust KeyControl, based on a strong root of trust delivered by nShield HSMs on-premises or as a service, ensures the secure and efficient management of cryptographic assets. An enterprise platform offering centralized visibility of keys and secrets, KeyControl facilitates decentralized vaults for managing keys and secrets throughout their lifecycle for a wide range of use cases, including enterprise backup and recovery.
  • Secure/Multipurpose Internet Mail Extension (S/MIME) allows users to encrypt and send documents securely in real time without the need for zip files or passwords. Real estate agents, title companies, and lenders can prove where and when the message originated, as well as demonstrate that documents have not been tampered with in delivery. By retroactively protecting email, Entrust S/MIME certificates also help organizations mitigate the risk of data breaches.
  • Phishing-Resistant Identities ensure both the user and device are verified and authenticated using digital certificates to help protect against business email compromise (BEC) and account takeover (ATO) attacks. Compromised credentials are a common initial access vector in ransomware attacks. For more information, see the 2023 Gartner® Magic Quadrant for Access Management recognizing Entrust as a Challenger.
  • Verified Mark Certificates (VMCs) are digital certificates that enable organizations to display their registered trademark logo in the avatar slot alongside outgoing emails. A common delivery method for ransomware is phishing. Real estate brokerages, lenders, and title agencies leveraging VMCs can prove to their transaction participants that emails received are indeed from the sending organization and not spoofed emails. VMCs also help reduce the risk of wire transfer fraud and seller impersonation fraud.
  • Post-Quantum Readiness – Long-lived data, such as property ownership history and mortgage loan servicing information, are at greater risk of the “Harvest Now, Decrypt Later” threat. Within the decade, quantum computing capabilities powerful enough to break public key encryption protocols are expected. Organizations involved in the real estate financing industry should take steps now to protect sensitive data, applications, and transactions.

Contact us to learn how Entrust can help your organization protect data and mitigate the risk of ransomware.