On June 29, 2024, Patelco Credit Union — a $9.8 billion California-based not-for-profit financial cooperative serving 460,000 members — discovered ransomware on its core banking systems. ATM withdrawals were limited, online and mobile banking went dark, debit-card transactions failed, and Zelle transfers stopped for nearly two weeks. Patelco notified the California Department of Financial Protection and Innovation (DFPI) on July 2 and disclosed publicly the same day. The intrusion was the work of RansomHub, who listed Patelco on their leak site on August 16. The forensic investigation eventually showed unauthorised access from May 23 through June 29 — a 37-day dwell window — and that data on 1,009,472 people had been exfiltrated, more than the entire membership of the credit union itself. A class action settled for $7.25 million in mid-2025.
How did RansomHub get in?
Patelco's public statements have not identified the initial-access vector. RansomHub's general TTPs, catalogued in CISA AA24-242A (August 29, 2024), include exploitation of Citrix NetScaler, Fortinet, and Ivanti edge appliances; SocGholish fake-update drive-bys; and phished MFA-fatigue against employees of small and mid-market financial institutions. The 37-day window is consistent with RansomHub affiliates "shopping" a network: harvesting credentials with Mimikatz, performing AD reconnaissance with SharpHound, identifying business-critical databases, staging exfiltration, and only then detonating. Patelco confirmed in its November 2024 breach-notification letter that "an unauthorised actor accessed certain databases" between May 23 and June 29, language that aligns with the harvest-then-encrypt model.
What broke for members?
Online banking, mobile banking, the call centre's account-lookup tools, Zelle transfers, balance inquiries at ATMs, and debit-card transactions over a $500/day limit. ATMs continued to dispense cash from on-machine cash availability but could not verify balances against the core. Bill-pay services queued but did not execute. Direct deposits posted but were not visible to members. Several members reported overdraft fees they could not contest because account history was unreachable; Patelco committed in early July to reverse all such fees for the duration of the outage. Service restoration began on July 5 and full functionality returned by July 17 — nearly three weeks of degraded operations for a primary-bank relationship.
What data was stolen?
Per the November 2024 breach notification, the compromised information included names, Social Security numbers, driver's licence numbers, dates of birth, and email addresses, with each member's specific exposure varying. The total count was revised upward from 726,000 (initial Maine AG filing in August 2024) to 1,009,472 in the November filing, after a deeper forensic review found additional affected individuals — including former members and individuals whose data was held under joint accounts or guarantor agreements. RansomHub's auction listing on August 16 priced the data for two weeks of bidding; when bidding ended without a buyer, RansomHub published the data on August 30. Class-action complaints (Calderon et al. v. Patelco, N.D. Cal.) consolidated in October 2024 and settled for $7.25 million on May 12, 2025, providing affected members up to $3,500 in documented losses plus credit-monitoring through August 2027.
Why is RansomHub targeting credit unions?
Three reasons. First, regulatory mismatch: NCUA Part 748 cybersecurity requirements lag FFIEC IT booklets for banks and historically apply soft pressure rather than examination findings; many credit unions run legacy core-banking platforms (Symitar Episys, Jack Henry CUbase, Fiserv DNA) on hardware that has not been re-architected since the late 2000s. Second, balance-sheet leverage: a credit union's reputational risk with members is acute, raising willingness to pay. Third, downstream pivots: credit-union cores integrate with NACHA ACH operators, FedNow, and shared-branching networks; one compromise can pivot into adjacent cooperatives via shared service organisations. The NCUA issued Letter to Credit Unions 24-CU-04 on August 14, 2024, explicitly citing the Patelco incident and naming RansomHub as a priority threat.
What did existing controls miss?
Three honest gaps. First, RansomHub spent 37 days inside the network undetected — that is incompatible with effective EDR plus 24x7 SOC coverage on a core-banking environment. Patelco does not publish its EDR vendor, but the dwell time suggests either coverage gaps on key servers or alert-routing failures. Second, the data-exfiltration window of likely several days (Rclone-to-MEGA or Rclone-to-S3 is RansomHub's standard pattern) should have triggered DLP, anomalous egress, or netflow anomaly alerts; it did not. Third, the inability to fail over to a hot-standby core during 17 days of degraded service implies either an absence of true continuous-replication architecture or a fear that the standby was also compromised — both common in credit-union IT estates running on five-figure annual technology budgets.
# Detection: RansomHub Rclone-to-MEGA exfil sequence
title: RansomHub Rclone MEGA Exfil Pattern
id: ransomhub-patelco-exfil-2024
detection:
selection:
Image|endswith: '\rclone.exe'
CommandLine|contains|all:
- 'copy'
- 'mega:'
CommandLine|contains|any:
- '--transfers'
- '--bwlimit'
network_selection:
DestinationHostname|contains:
- 'mega.nz'
- 'mega.co.nz'
condition: selection or network_selection
level: high
What should credit unions and small financial institutions do?
Six steps. First, push past NCUA Part 748 minimums and adopt FFIEC IT Examination handbooks as the internal baseline, especially the "Information Security" and "Business Continuity Management" booklets. Second, deploy modern EDR on every server in the core-banking estate, with telemetry routed to a 24x7 SOC (in-house or via a CUSO like CULedger or PSCU's CyberSafe service). Third, require offsite, immutable, and tested backups for every component of the core; do not assume the vendor's SaaS replica is sufficient. Fourth, instrument outbound traffic from the core estate to detect Rclone-to-MEGA, Rclone-to-S3, MEGAcmd, and similar exfiltration tooling. Fifth, contract for ransomware-specific incident-response retainers — Patelco's response cost was substantial, and pre-negotiated retainers cut response time. Sixth, run quarterly tabletops modelling exactly the Patelco sequence: 37 days of unnoticed access, two weeks of public outage, and the regulatory and class-action consequences that follow.
How Safeguard Helps
Safeguard maps every component of a credit-union core-banking stack — Symitar, CUbase, DNA, Q2, Alkami, NCR Voyix, FIS Horizon — into SBOMs and continuously cross-references against CISA KEV and RansomHub-affiliate TTP advisories (CISA AA24-242A). Griffin AI reachability analysis identifies which CVEs can be exploited from member-facing portals versus those buried in internal-only systems, so triage stays focused. TPRM scoring tracks every core-banking vendor and CUSO against the NCUA's Letter to Credit Unions 24-CU-04 expectations and the FFIEC IT booklets, downgrading vendors that miss SLAs. Policy gates block any new vendor release that embeds a KEV-listed component, and DLP integrations flag Rclone-to-MEGA and Rclone-to-S3 patterns the moment they appear on a core-banking host — making the next Patelco-class 37-day dwell impossible to repeat.