Three recent events are prompting me to update our previous blog post on the difficult decision of whether to pay or not to pay ransomware following an attack [view related post].

The first event is that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory warns that if a company or a vendor facilitates the payment of a ransom to criminals or adversaries “with a sanctions nexus,” the funds could be used “to fund activities adverse to the national security and foreign policy objectives of the United States.” Therefore, companies or vendors acting on their behalf who pay a ransom to a sanctioned individual or governments are at risk for sanctions under the Financial Crimes Enforcement Network (FinCEN) regulations.

The advisory is a very important consideration to weigh in determining whether or not to pay a ransom for encryption keys or destruction of data. For more on the OFAC Advisory, click here:

The second event was a recent thoughtful analysis on this subject matter by KrebsonSecurity, entitled “Why Paying to Delete Stolen Data is Bonkers.” Referring to a Coveware report, which states that almost half of all ransomware cases include the release of exfiltrated data, Krebs quotes from the Report “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.”

Krebs further notes that ransomware victims who pay for the decryption key are relying on hope that the keys will work, which is not always the case.

The final event is that there is growing anecdotal evidence that Ransomware as a Service (RaaS) operators, usually less sophisticated than the big boys, are engaging in double extortion scams against their victims. This means that if you have made the business decision to pay the ransomware for either the decryption keys or the destruction of data, these operators are refusing, after you have agreed to pay a negotiated amount, and they have initially agreed to hold up their part of the bargain, to give you the key or the confirmation of destruction until you pay more ransom. This behavior is certainly inconsistent with the general business plan of ransomware that the attackers will return what has been ransomed after payment, so future victims can be assured that if they pay the ransom, they will get their keys or the data back. This new phenomenon provides a strong argument (in addition to the ones above) to refrain from paying the ransom. They are criminals, after all, and some are more credible and smarter than others. These attackers who engage in double extortion will rapidly get a bad reputation and are shooting themselves in the foot. However, while in the midst of the attack, you just don’t know who you are dealing with, so weighing these risks is challenging at best.

Binary Check Ad Blocker Security News

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The advisory acknowledges that the incidents of ransomware attacks on U.S. companies have risen during the COVID-19 pandemic. Although the advisory does not mention that companies have been paying ransoms when they are victimized, it has been publicly reported that companies have paid ransoms, particularly when data has been exfiltrated and the cybercriminals are threatening to post the data online unless a ransom is paid for confirmation of destruction, as is the scheme used by Maze.

The advisory warns that paying ransoms “not only encourage future ransomware payment demands, but also may risk violating OFAC regulations.” The advisory “describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

If you want to read a well-written history of ransomware, read the advisory, as it lays out nicely the evolution of ransomware and its effect on businesses.

According to OFAC:

“[F]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

OFAC further states that “[C]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” These sanctions include civil penalties based on strict liability.

In light of the advisory, OFAC:

encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (emphasis ours). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”

The OFAC advisory is a stark warning for responding to ransomware attacks and incident response. It lays out important considerations in determining how it may impact your incident response plan, questions to ask your cyber liability insurer about coverage around ransom payments, and the risks associated with a ransomware payment in your enterprise-wide risk management program.