Contact Us

[contact-form-7 id="ceb4db8" title="Contact form 1"]

Client Login

Select a platform below to log in

TraceCSO
TraceInsight

vCISO Cybersecurity Intelligence Brief: May 2026

Executive Summary

Every month, TraceSecurity’s Senior Information Security Engineers develop a Cybersecurity Intelligence Brief exclusive to our vCISO customers. These briefs include information on the latest threats to organizations, training recommendations, best practices, regulatory advice, and more. Below are a few highlights from our vCISO brief for April 2026.

This month’s brief addresses a surge in ransomware attacks targeting financial services, urgent software updates released by Microsoft and Cisco that require immediate attention, and a major shift in attacker tactics from locking up files to stealing customer data. We also provide staff training materials on recognizing the warning signs of a hidden cyberattack, and outline best practices that leadership and IT teams can use together to strengthen your institution’s defenses.

65%

of Financial Institutions
Hit by Ransomware in 2026

25 Min

Average Time from Break-In
to Data Being Locked or Stolen

97%

of FIs Have Exposure to a
Vendor-Related Breach

Emerging Threat Landscape

The following threats have been identified as having significant relevance to community banks, credit unions, and savings institutions during the current reporting period.

CRITICAL: Active Ransomware Attacks Targeting Banks and Credit Unions

A criminal group known as DragonForce has become the most active ransomware operation targeting financial institutions in May 2026. The group has claimed responsibility for attacks on hundreds of organizations and recently confirmed attacks on two U.S. financial firms—First Trinity Financial and Delbrook Capital Advisors. DragonForce often partners with another criminal group called Scattered Spider, which specializes in tricking employees and IT help desk staff into providing access. Once inside, they can steal customer data and lock up systems in as little as 25 minutes.

What this means for your institution: A successful attack could shut down core banking systems, expose customer data covered under GLBA, trigger required regulatory notifications (36 hours for FDIC-supervised institutions, 72 hours for credit unions), and result in significant member or customer notification obligations under state laws. Even if your institution has backups, the stolen data cannot be “restored”—it is already in criminal hands.

For Leadership: Confirm with your IT team and core processor that offline backups are tested and verified. Ask when your last ransomware tabletop exercise was conducted; if it has been more than 12 months, schedule one. Review your cyber insurance to ensure it covers both ransomware AND pure data theft (these are increasingly treated differently). Review your incident response plan and confirm everyone on the call list is current.

For IT/Operations: Verify offline, air-gapped backups are tested and not accessible from production networks. Deploy endpoint detection and response (EDR) tools with anti-ransomware and shadow copy protection. Implement network segmentation to limit lateral movement. Train help desk staff specifically on Scattered Spider social engineering tactics. Update IR playbooks for dual-extortion scenarios. Reference CISA Advisory AA23-320A for current indicators of compromise.

CRITICAL: Urgent Microsoft Windows Updates Released May 13

On May 13, Microsoft released its monthly batch of security updates, fixing 130 issues. Two of them are particularly dangerous: both allow attackers to take over Windows computers without needing a password and without any user clicking anything. Security researchers describe these as “wormable,” meaning that once an attacker infects one machine, the attack can spread automatically to every other Windows computer on the network. These types of flaws are exactly what ransomware groups look for.

What this means for your institution: Every Windows computer in your institution—workstations, servers, domain controllers—is potentially vulnerable until patched. The most dangerous of these updates affect the systems that run your network behind the scenes. Delaying these updates significantly increases the chance of a successful attack. Examiners increasingly ask about how quickly institutions apply emergency patches.

For Leadership: Ask your IT team or technology service provider (TSP) for written confirmation that these May updates have been applied across all Windows systems within 72 hours of release. Document the response in your risk register. If patching has been delayed for any reason, ask what compensating controls are in place. This is the type of question examiners frequently ask.

For IT/Operations: Apply May 13 Patch Tuesday updates immediately, prioritizing domain controllers, internet-facing servers, and remote access infrastructure. Critical patches to prioritize: CVE-2026-41089 (Netlogon RCE, CVSS 9.8), CVE-2026-41096 (DNS Client RCE, CVSS 9.8), CVE-2026-42898 (Dynamics 365 On-Premises RCE, CVSS 9.9), and CVE-2026-42826 (Azure DevOps, CVSS 10.0). Verify TSP and critical vendor patching status. Document timing for examination evidence.

HIGH: Email System Vulnerability Affecting On-Premises Exchange

Microsoft disclosed on May 14 that older versions of Exchange Server—the system many community banks and credit unions still use to host their own email—contain a vulnerability that lets attackers run malicious code simply by sending a specially crafted email. The attack works when an employee opens the email through Outlook on the Web (the browser version of Outlook). This does not affect institutions that use Microsoft 365 or Exchange Online (cloud-based email).

What this means for your institution: If your institution still runs its own email server, this is a direct threat. Email is the most common entry point for cyberattacks against financial institutions. A compromised email system gives attackers access to internal communications, customer data, and a credible platform for follow-on attacks against staff and vendors.

For Leadership: Ask your IT team or TSP whether your institution uses on-premises Exchange or cloud-based email. If on-premises, ask for written confirmation that the May 14 mitigation has been applied. Use this as an opportunity to discuss whether moving to cloud-based email makes sense for your institution—many community banks and credit unions are transitioning to reduce maintenance burden.

For IT/Operations: Identify all on-premises Exchange Server deployments. Confirm Exchange Emergency Mitigation (EM) Service is enabled and mitigation M2.1.x is applied for CVE-2026-42897. Run the Exchange Health Checker script (aka.ms/ExchangeHealthChecker) to verify. Servers running Exchange versions older than March 2023 cannot receive automatic mitigations and should be prioritized for upgrade. Evaluate migration to Exchange Online.

HIGH: Cisco Network Equipment Flaw Being Actively Exploited

Cisco issued an updated security advisory in May 2026 covering a serious flaw in its SD-WAN networking equipment, which is commonly used to connect branch locations to a main office. The flaw lets an attacker take administrative control of the equipment without needing a password. Because SD-WAN equipment sits at the core of an institution’s network, compromising it could give an attacker the ability to monitor, redirect, or interrupt traffic across the entire branch network.

What this means for your institution: If your institution uses Cisco SD-WAN equipment—either directly orthrough your technology service provider—this should be addressed urgently. Compromise of network infrastructure is one of the worst-case scenarios because it bypasses many other security controls.

For Leadership: Ask your IT team or TSP whether your institution uses Cisco Catalyst SD-WAN (formerly vSmart or vManage). If yes, ask when the May 2026 Cisco advisory patches were applied and whether the indicators of compromise (IOCs) were reviewed. Document the response for your records.

For IT/Operations: Identify all Cisco Catalyst SD-WAN Controller and Manager deployments. Apply Cisco’s patches immediately—treat as emergency patching given active exploitation. Review the advisory’s Indicators of Compromise section; check Show Control Connections output for signs of compromise. Coordinate with TSP if SD-WAN is externally managed.

MEDIUM: Attackers Are Shifting from Locking Up Files to Stealing Data

Industry data from the first half of 2026 confirms a major shift in how cybercriminals operate. In the past, most ransomware attacks involved “locking up” an institution’s files and demanding payment for the unlock code. Today, an increasing share of attacks (now 65%) skip the file-locking step entirely and simply steal sensitive data, then threaten to publish it unless a ransom is paid. For financial institutions, this is a fundamentally different problem: backups don’t help, and the institution must notify customers and regulators whether or not the data is ever published.

What this means for your institution: Your institution’s breach notification obligations under GLBA and state laws are triggered when customer data is exfiltrated—even if no files were encrypted, no operations were interrupted, and no ransom was paid. Backup-based recovery strategies do not address this scenario. Cyber insurance policies may have different coverage terms for encryption events versus pure extortion, and you should know which type your policy covers.

For Leadership: Review your cyber insurance policy with your broker. Specifically ask: “Is data theft without encryption covered the same as a traditional ransomware event?” Discuss with legal counsel what triggers customer notification obligations in your state, and update your incident response plan accordingly. Brief your Board on this shift in attacker tactics.

For IT/Operations: Deploy data loss prevention (DLP) tools to monitor outbound data transfers. Implement egress monitoring for large file uploads to consumer cloud storage (OneDrive, MEGA, Dropbox) from non-administrative accounts. Establish baseline data flow patterns and alert on anomalies. Update IR playbooks for pure-extortion scenarios, including GLBA Safeguards Rule notification triggers.

Spotting the Warning Signs of a Hidden Cyberattack

Most people picture a cyberattack as a sudden, obvious event—files locked, ransom notes on screens, alarms going off. The reality in 2026 is very different. Today’s attackers usually spend hours or days quietly inside a network before doing anything visible. They look around, find what’s valuable, and then either steal it or lock it up. The warning signs during this quiet phase are subtle—but every employee can learn to recognize them. This training module is designed to be shared with all staff, including non-technical employees.

What We Used to Teach

  • Files becoming locked or unreadable
  • Ransom notes appearing on screen
  • Computers shutting down unexpectedly
  • Obvious virus warnings

What We Teach Now

  • Computer is unusually slow or sluggish
  • Unfamiliar programs running in the background
  • Unexpected login alerts or MFA prompts
  • Strange activity in shared folders or OneDrive

5 Actions Every Employee Can Take

NOTICE: Pay Attention to How Your Computer Behaves

If your computer suddenly becomes slow, the fans run loud when you’re not doing much, programs you don’t recognize appear, or things just feel “off,” that’s worth reporting. You don’t need to know what’s wrong—you just need to mention it to your IT team. Trust your instincts. If something feels different than normal, it probably is.

SPEAK UP: Mention Anything Unfamiliar to IT

If you see software you didn’t install (especially anything that looks like remote access tools with names like AnyDesk, TeamViewer, or ScreenConnect), don’t try to remove it yourself—tell IT right away. Attackers often install legitimate-looking programs to maintain access. It might be nothing, or it might be something serious. Either way, IT needs to know.

WATCH: Look for Account Alerts You Didn’t Expect

If you get a text or app notification asking you to approve a login or password change you didn’t request, do not approve it. Report it to IT. The same goes for emails about activity on your accounts—cloud storage notifications, sharing requests, or login confirmations from places you weren’t. These can be the first sign someone is using your credentials.

REPORT: When in Doubt, Tell Someone

Time matters. Today’s attackers can lock up a network in as little as 25 minutes once they’re inside. If you notice anything unusual, report it right away—even if you’re not sure it’s a problem. It is far better to report something that turns out to be nothing than to ignore something that turns out to be a real attack.

PROTECT: Simple Habits That Make a Real Difference

Lock your computer whenever you step away, even just for a moment. Don’t leave printed sensitive information sitting on your desk. Be aware of who’s around you when typing in passwords or working with member or customer information. These small habits prevent a surprising number of attacks from ever getting started.

Add a vCISO to your team today

Let’s see how we can help meet your cybersecurity and compliance goals

Get a Quote

Resources

FFIEC IT Examination Handbook: ithandbook.ffiec.gov
CISA Alerts & Advisories: cisa.gov/known-exploited-vulnerabilities-catalog
CISA Ransomware / Scattered Spider Advisory: cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Microsoft May 2026 Patch Tuesday: msrc.microsoft.com/update-guide
Cisco SD-WAN Security Advisory: sec.cloudapps.cisco.com/security/center/publicationListing.x
FS-ISAC Threat Intelligence: fsisac.com

Tags
Feel free to share our content.

Related Posts