Three recent events are prompting me to update our previous blog post on the difficult decision of whether to pay or not to pay ransomware following an attack [view related post].

The first event is that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory warns that if a company or a vendor facilitates the payment of a ransom to criminals or adversaries “with a sanctions nexus,” the funds could be used “to fund activities adverse to the national security and foreign policy objectives of the United States.” Therefore, companies or vendors acting on their behalf who pay a ransom to a sanctioned individual or governments are at risk for sanctions under the Financial Crimes Enforcement Network (FinCEN) regulations.

The advisory is a very important consideration to weigh in determining whether or not to pay a ransom for encryption keys or destruction of data. For more on the OFAC Advisory, click here:

The second event was a recent thoughtful analysis on this subject matter by KrebsonSecurity, entitled “Why Paying to Delete Stolen Data is Bonkers.” Referring to a Coveware report, which states that almost half of all ransomware cases include the release of exfiltrated data, Krebs quotes from the Report “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.”

Krebs further notes that ransomware victims who pay for the decryption key are relying on hope that the keys will work, which is not always the case.

The final event is that there is growing anecdotal evidence that Ransomware as a Service (RaaS) operators, usually less sophisticated than the big boys, are engaging in double extortion scams against their victims. This means that if you have made the business decision to pay the ransomware for either the decryption keys or the destruction of data, these operators are refusing, after you have agreed to pay a negotiated amount, and they have initially agreed to hold up their part of the bargain, to give you the key or the confirmation of destruction until you pay more ransom. This behavior is certainly inconsistent with the general business plan of ransomware that the attackers will return what has been ransomed after payment, so future victims can be assured that if they pay the ransom, they will get their keys or the data back. This new phenomenon provides a strong argument (in addition to the ones above) to refrain from paying the ransom. They are criminals, after all, and some are more credible and smarter than others. These attackers who engage in double extortion will rapidly get a bad reputation and are shooting themselves in the foot. However, while in the midst of the attack, you just don’t know who you are dealing with, so weighing these risks is challenging at best.

According to Cybersecurity Ventures, cybercrime is the fastest growing crime in the U.S., with damages expected to reach $6 trillion globally by 2021. Therefore, it is axiomatic that C-Suites continue to address the risk associated with cybercrime and how cybercrime will affect the business.

Ransomware continues to be one of the biggest risks to company operations. Statistics show that ransomware attacks are becoming more prolific and expensive. According to the most recent Coveware Q3 Report, ransomware incidents and ransom demands are increasing. Ransomware attacks are leaving a company paralyzed for an average of 19 days.

The inability to conduct business operations for 19 days can be devastating, especially to small and medium-sized businesses. Having an incident response plan, contingent operations plan, and disaster recovery plan is essential to minimizing the risk of failed or stalled operations. Those companies that are prepared for an attack and can implement these plans are better able to respond to a cyber-attack that leaves the company paralyzed.

It is clear that cyber-attacks and cybercrime damages are continuing to soar, particularly while companies’ workforces are working remotely. It is crucial to evaluate and put your incident response, contingent operations and disaster recovery plans in place now.