On Thursday, October 1st the Department of the Treasury in Washington, DC issued a public advisory on “Potential Sanctions Risks for Facilitating Ransomware Payments,” in response to the onslaught of COVID-19 themed ransomware attacks.
Ransomware is a form of malware that encrypts a victim’s files as a means to demand money. Typically, victims are alerted their system has been compromised and their files are encrypted. Further, these files will not be made accessible until the ransom is paid. Hackers play on emotions, evoking fear and a sense of urgency. Victims are given time sensitive instructions on how to pay (via Bitcoin) for a file decryption key.
The Treasury referenced the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Report, calling out a “37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019 for both small and medium sized businesses, local government agencies, hospitals, and school districts.” Research states costs can range from hundreds to thousands of dollars, however payment does not prevent further extortion. There is no guarantee files have not been copied, sold or altered in some way. Charles Carmakal, CTO and incident response expert for FireEye mentions considerably higher sums, stating: “These extortion demands are in the six-figure range for smaller companies and seven to eight figures for larger companies.”
Who is paying the ransom and why?
In the advisory, the Department of the Treasury warns businesses the short-term solution of paying malicious actors will only embolden them to conjure up more devastating attacks in the future. The Treasury also reiterates the long-standing laws that state the Office of Foreign Assets Control (OFAC) can impose civil penalties and may hold victimized businesses liable, even if they did not know they were engaged with sanctioned persons. This is nothing new. There is no change in the existing law; the COVID-19 ransomware attacks are simply another reason for the Treasury to urge businesses to comply with the laws, hoping to slow the progression of the growing ransomware problem. It states:
“Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), 9 U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited.”
More importantly, the OFAC strongly encourages financial institutions and others to make appropriate business decisions to ensure proper preparatory action is taken to safeguard their business and their customers. The OFAC suggests implementing a risk-based compliance program to mitigate any exposure to sanctions-related violations, as listed in OFAC’s 2019 publication; A Framework for OFAC Compliance Commitments.
Ransomware response is maturing.
According to Roger Grimes, Data Driven Defense Evangelist for KnowBe4, ransomware is evolutionarily becoming more malicious. Bad actors are now even encrypting backups of data files with key changes, rendering the backups useless. Since ransomware’s devastation is mounting, most businesses are opting to pay or are hiring 3rd parties to negotiate or resolve the issue.
In Grimes’ webinar entitled “Now that ransomware has gone nuclear, how can you avoid becoming the next victim,” he breaks down the progression of ransomware response maturity over the years. In short, early victims generally didn’t pay the ransom. Over the first couple of years, there was little tracking data to determine if paying the ransom would afford even a slim chance of data retrieval. Fast forward a few years, more business were forced to pay and rumors indicated that thieves were honoring their word to providing encryption keys for data retrieval. Forward further, cyber insurance became available to help businesses cope with damages from Ransomware. Today, most businesses pay at least a portion of the ransom, regardless of their claims not to have paid. Now more than ever, it is becoming more evident that even with great backups in place, it is often cheaper and faster for businesses to pay the ransom to drastically reduce recovery and downtime.
Most businesses today recognize the value of proactivity. A cybersecurity spend is inevitable, whether proactive or reactive. Reactionary spending costs more and barely gets you back to square one. It is completely justifiable to invest in preventative cybersecurity strategy, keeping you continuously ahead of the threats.