Ransomware

Self-Assessment
Tool
OCTOBER 2020
Developed by the Bankers Electronic Crimes Task Force, State Bank Regulators, and the
United States Secret Service
Purpose
The Bankers Electronic Crimes Taskforce (BECTF), State Bank Regulators, and the United States Secret
Service developed this tool. It was developed to help financial institutions assess their efforts to mitigate
risks associated with ransomware 1 and identify gaps for increasing security. This document provides
executive management and the board of directors with an overview of the institution’s preparedness
towards identifying, protecting, detecting, responding, and recovering from a ransomware attack.
Ransomware is a type of malicious software (malware) that encrypts data on a computer, making it
difficult or impossible to recover. The attackers usually offer to provide a decryption key after a ransom is
paid; however, they might not provide one or it might not work if provided, which could make the financial
institution’s critical records unavailable. Companies that facilitate ransomware payments to cyber actors
on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in
digital forensics and incident response, not only encourage future ransomware payment demands but
also may risk violating OFAC regulations 2.

Completing the Ransomware Self-Assessment Tool (R-SAT)

The Ransomware Self-Assessment Tool is derived from the BECTF Best Practices for Banks: Reducing the
Risk of Ransomware (June 2017), which have been updated for today’s environment. Accurate and timely
completion of the assessment, as well as periodic re-assessments, will provide executive management
and the board of directors with a greater understanding of the financial institution’s ransomware
preparedness and areas where improvements can be made. This could also assist other third parties (such
as auditors, security consultants and regulators) that might also review your security practices.
Due to the sophistication of this threat, some areas in the review are mildly technical. You may want to
ask your vendors and third-party service providers to complete some questions.

Preparer Information
Please provide the following information regarding the preparer of this document.

Name and Title Email and phone number

Institution Name Date Completed

Date Reviewed by Board:

1
Refer to Federal Financial Institutions Examination Council (FFIEC) Joint Statement Cyber Attacks Involving
Extortion

2
Refer to FinCEN Advisory Ransomware and the Use of the Financial System to Facilitate Ransom Payments and
OFAC Ransomware Advisory
2

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

1. Have you implemented a comprehensive set of ☐ YES ☐ NO

controls designed to mitigate cyber-attacks (e.g.
Center for Internet Security’s (CIS) Critical Security
Controls 3)?

What standard(s) or framework(s) are used to ☐ AICPA SOC

guide cybersecurity control implementation4?
Check all that apply. ☐ CIS Controls
☐ COBIT
☐ FFIEC CAT
☐ FSSCC Cybersecurity Profile
☐ ISO
Note: State bank regulators do not endorse any
specific standard or framework. ☐ NIST Cybersecurity Framework
☐ PCI DSS
☐ Other (List below)
___________________

2. Has a GAP analysis been performed to identify ☐ YES ☐ NO

controls that have not been implemented but are
recommended in the standards and frameworks
that you use?

3. Is the institution covered by a cyber insurance 5 ☐ YES ☐ NO

policy that covers ransomware? If yes, please
provide the name of the insurer.

3
Refer to Center for Internet Security’s The 20 CIS Controls & Resources
4
American Institute of CPAs System and Organization Controls (AICPA SOC), Center for Internet Security’s (CIS)
Controls, Control Objectives for Information Technologies (COBIT), Federal Financial Institutions Examination
Council Cybersecurity Assessment Tool (FFIEC CAT), Financial Services Sector Coordinating Council (FSSCC)
Cybersecurity Profile, International Organization for Standardization (ISO), National Institute of Standards and
Technology (NIST) Cybersecurity Framework, and Payment Card Industry Data Security Standard (PCI DSS).
5
Refer to the FFIEC Joint Statement - Cyber Insurance and Its Potential Role in Risk Management Programs
3

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT
4. It is important to know the location of the institution’s critical data and who manages
it. Indicate if the following systems or activities are processed or performed internally
or are outsourced to a third party (such as vendors that specialize in Core or that
provide network administration (aka Managed Service Providers or MSPs).

In-House Outsourced
Core Processing ☐ ☐
Network Administration ☐ ☐
Email Service ☐ ☐
Image Files (Checks, Loans, etc.) ☐ ☐
Trust ☐ ☐
Mortgage Loans ☐ ☐
Investments (Bonds, Stocks, etc.) ☐ ☐
Other Critical Data (Please List below):

☐ ☐

☐ ☐

☐ ☐

☐ ☐

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

☐ ☐
5. Do any third-party vendors (including any MSPs) have
continuous or intermittent remote access to the network? YES NO

If yes, explain the different types of access that they have (such as remote scripting,
patching, sharing screens, VPN, etc.)

If yes, are controls implemented to prevent ransomware and threat actors from
moving from the third-party’s network to the institution’s network via these types
of access?

☐ YES ☐ NO

If yes, describe the controls.

Have all third-party vendors with remote access provided an independent audit
that confirms these controls are in place?

☐ YES ☐ NO

6. Do risk assessments include ransomware as a threat? ☐ YES ☐ NO

If yes, are common potential attack vectors (e.g., phishing, watering holes, malicious
ads, third-party apps, attached files, etc.) identified?

☐ YES ☐ NO

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

7. Have all ransomware risks and threats identified in risk

assessments been appropriately remedied or mitigated to an
acceptable risk level?
☐ YES ☐ NO

8. Indicate which of the following are included annually as part of employee security awareness
training programs. (Check all that apply.)

☐ Ransomware

☐ Social engineering and phishing

☐ Incident identification and reporting

☐ Testing to ensure effective training

☐ None of the above

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

9. Indicate which controls have been implemented for backing up Core Processing and
Network Administration data. (Check all that apply and provide explanations where needed
in the comment box below.) For other critical data, such as Trust services, Mortgage Loans,
Securities - Investments, and others, use the form in the Appendix. If any of this data is
managed by an outside vendor, consider asking the vendor to complete the questions.

Controls Core Network

Processing Admin

a) Procedures are in place to prevent backups from being

affected by ransomware. (Please describe on next page.) ☐ ☐

b) Access to backups use authentication methods that

differ from the network method of authentication. (If ☐ ☐
not, please describe on next page.)

☐ ☐
c) At least daily full system (vs incremental) backups are
made. (If not, please describe on next page.)

d) At least two different backup copies are maintained,

☐ ☐
each is stored on different media (disk, cloud, flash
drive, etc.) and they are stored separately. (Please
describe on next page.)

☐ ☐
e) At least one backup is offline, also known as air gapped
or immutable. (Please describe method on next page.)

f) A regular backup testing process is used at least annually

that ensures the institution can recover from ☐ ☐
ransomware using an unaffected backup.

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

Describe controls.

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

10. Indicate which of the following preventative controls have been implemented. (Check all
that apply.)

☐ Remote Desktop Protocol (RDP) is disabled, or it must be accessed from behind a

firewall, through a VPN configured for network-level authentication, and/or the IP
addresses of all authorized connections are whitelisted.

☐ Multi-Factor Authentication (MFA) is used (Check all that apply below):

☐ by all users that access any cloud-based service (such as mortgage

origination, HR platforms, etc.)

☐ for cloud email services (such as Office 365)

☐ for VPN remote access into the network

☐ with an app that generates a security code (vs a push text/SMS code)

☐ for at least administrative access

☐ Eliminated administrative access to endpoints, workstations, and network

resources for all but network support personnel.

☐ Adopted “least privileged access” concept for granting users access to shared
folders and other resources.

☐ An established process for provisioning and reviewing Active Directory access

(especially for service accounts) is actively managed and reported to management.

☐ Disabled all unnecessary browser or email client plugins.

☐ Maintenance and enforcement of network-based URL and DNS filtering.

☐ Use of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
that detect and block ransomware activity including exchanging encryption keys.

☐ Implementation of domain-based message authentication, reporting, and

conformance (DMARC) policy and set to at least quarantine status.

☐ Use of behavior-based malware prevention tool(s). (List below.)

☐ Network segmentation to prevent spread of ransomware and the movement of

threat actors across the entire network.

Ransomware Self-Assessment Tool / October 2020

 IDENTIFY/PROTECT

11. Is the threat of ransomware specifically included (such as a

scenario) as part of the annual test of the incident response ☐ YES ☐ NO
plan?

Does executive management participate in testing at least annually? ☐ YES ☐ NO

Does the CEO participate in testing at least annually? ☐ YES ☐ NO

DETECT
12. Indicate which of the following monitoring practices for servers, workstations, networks,
endpoints, and backup systems are utilized. (Check all that apply.)

☐ Data Loss Prevention Program that provides alerts for (and prevents) large
amounts of data from being exfiltrated by the ransomware.

☐ Alerts (and blocking) of executable files attempting to connect to the Internet.

☐ Active monitoring of network management tools used on workstations, such as

WMI (Windows Management Instrumentation), PsExec, and other power shell
scripts.

☐ Detection of suspicious file extensions.

☐ Detection of large amounts of file renaming.

☐ None of the above.

RESPOND
13. Does the Incident Response Plan identify a person (internal or third-
party) with the expertise to manage/coordinate all aspects of a ☐ YES ☐ NO
ransomware response?

10

Ransomware Self-Assessment Tool / October 2020

 RESPOND

14. Indicate which of the following ransomware response procedures are included in the
Incident Response Plan. (Check all that apply.)

☐ Contact legal counsel and cyber insurance company (if applicable) so they are
immediately notified.

☐ Prepare document for internal staff to use when responding to customer questions.

☐ Establish procedures to ensure forensic information and audit logs are preserved
before any restoration is performed.

☐ Determine the scope of the infection by hiring specialized third parties or, if
appropriately experienced, by using in-house or MSP resources.

☐ Prevent or isolate the ransomware from spreading to other systems.

☐ Contact federal law enforcement as they periodically obtain decryption keys for
some variants of ransomware and they know how to preserve digital evidence.

☐ Determine the cause of the incident.

☐ Mitigate all exploited vulnerabilities.

☐ Restore systems/data (if needed).

☐ Notify incident response stakeholders.

☐ Periodically update contact information for firms that assist with incident response.

☐ Notify all affected employees, customers, and/or vendors as warranted.

☐ Notify incident stakeholders as appropriate (employees, board, stockholders).

☐ A specific individual(s) is given the authority to shut down a third-party’s access to

the network.

☐ Contact regulators.

☐ Other _____________________________________________________________

15. If third parties will be engaged, do contact information and/or pre-

arranged service contracts exist so that legal and contract issues do ☐ YES ☐ NO
not delay the response?

11

Ransomware Self-Assessment Tool / October 2020

1

RECOVER
16. Indicate which of the following are included in return to normal operations procedures.
(Check all that apply.)
☐ User testing after restoration.
☐ After action review to identify lessons learned.
☐ Updating the Incident Response Plan with lessons learned.
☐ Notifying stakeholders as appropriate (employees, board, stockholders).

☐ Other:
____________________________________________________________________

COMMENTS (Optional)

12

Ransomware Self-Assessment Tool / October 2020

 APPENDIX
IDENTIFY / PROTECT
Controls for Data Backup
Identify other “critical data” not addressed in question 9 and insert the data type in the column
headings for the table below. Indicate which controls have been implemented for backups of that
data. (Duplicate this appendix if necessary.)
Other “critical data” should be identified in question 4 and may include:
• Trust services
• Mortgage Loans
• Securities - Investments
• Email Services
• Image files (checks, loans, etc.)
If any of this data is managed by an outside vendor, consider asking the vendor to complete.

Data Type: Data Type: Data Type:

Controls

a) Procedures are in place to prevent backups from

being affected by ransomware. (Please describe on ☐ ☐ ☐
next page.)

b) Access to backups use authentication methods that

differ from the network method of authentication. ☐ ☐ ☐
(If not, please describe on next page.)

☐ ☐ ☐
c) At least daily full system (vs incremental) backups
are made. (If not, please describe on next page.)

d) At least two different backup copies are

☐ ☐ ☐
maintained, each is stored on different media
(disk, cloud, flash drive, etc.) and they are stored
separately. (Please describe on next page.)

e) At least one backup is offline, also known as air

gapped or immutable. (Please describe on next ☐ ☐ ☐
page.)

f) A regular backup testing process is used at least

annually that ensures the institution can recover ☐ ☐ ☐
from ransomware using an unaffected backup.

13

Ransomware Self-Assessment Tool / October 2020

 APPENDIX
IDENTIFY / PROTECT
Controls for Data Backup

Comments on Controls

14

Ransomware Self-Assessment Tool / October 2020