Scores of US credit unions offline after ransomware infects backend cloud outfit

A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor. 

This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this week by the intrusion. The NCUA regulates and insures these financial orgs.

“I can confirm that approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider,” the NCUA spokesperson said. “Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000.”

We’re told the unions’ IT provider Ongoing Operations – ironic – was hit by ransomware on Sunday, sparking days of disruption for the biz’s clients. It’s believed the cloud provider was infiltrated via the Citrix Bleed vulnerability.

Ongoing Operations, which is owned by Trellance and provides things from disaster recovery solutions to remote virtual desktops and hosted applications, told its customers:

On Thursday, northern New York’s Mountain Valley Federal Credit Union appeared to be one of the many orgs suffering “system downtime” as a result of a ransomware infection at Ongoing Operations. Mountain Valley’s CEO described it as a “nationwide” issue. MVFCU has four branches in New York state.

“It has been brought to our attention by our data processor – FedComp Inc, that the third-party vendor of our computer operating system ‘Trellance’ was the victim of a ransomware attack,” boss Maggie Pope said [PDF] in a letter to her credit union members. 

(FedComp had posted a note, since removed, on its website confirming it had been caught up in the aftermath of the ransomware attack: “The FedComp Data Center is experiencing technical difficulties and is under a countrywide outage. We are down with no ETA, but Trellance is still working on resolving the issue. There is no email support, but the Tech line is available.”)

• US readies prison cell for another Russian Trickbot developer
• Black Basta ransomware operation nets over $100M from victims in less than two years
• Europol shutters ransomware operation with kingpin arrests
• Ransomware-hit British Library: Too open for business, or not open enough?

Mountain Valley’s Pope continued in her note to customers: “Trellance has indicated that our member information has not been affected by this incident. Because of this, Trellance must move to a new server system. Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online.”

Pope did not respond to The Register‘s inquiries, nor did Trellance. Ongoing Operations, meanwhile, told us much of what it informed its clients earlier, adding:

According to its website, Trellance has “hundreds” of customers across the US.

A FedComp employee told The Register that both Trellance and FedComp are “working to fix” the mess, while a FedComp spokesperson said the outfit had “no comment on the third-party incident.”

The NCUA told us it has informed the US Treasury Department, CISA, and the FBI about the cyber-break-in. ®