Between 2018 and 2019 there were two interesting changes reported in the Federal Bureau of Investigations (FBI) Internet Crime Report. The first was a 37% increase in reported ransomware attacks. Maybe more importantly there was a 147% increase in losses from ransomware attacks. Traditionally we see news about the attacks against larger organizations, but the criminals behind ransomware are now more sophisticated, and are using targeted attacks against smaller and medium sized companies, municipal governments, hospitals and even school districts. The attacks are more numerous against these types of organizations because they often lack the resources, either tools or talent, to close their vulnerabilities and they are therefore less likely to be adequately attacked.
What does this mean for businesses?
But look, this is nothing new. For those that don’t know, ransomware is a type of attack where a nefarious actor accesses the victim’s network and installs malicious code. The malicious code then locks key systems in the victim’s network, by encrypting the data, and holds it ransom. Generally the threat is destroying the data, leaving the system locked, or worse exposing the data to the public via leaks that are incredibly harmful. Organizations are left to weigh the best option, and in most cases that is to pay the ransom, generally in the form of digital currency, to retrieve their data. Often these attacks go unreported, but in many cases victims are regulated entities required to disclose this kind of attack. And the ramifications can be damage to reputation, damage to systems, and in some cases severe enough financial consequences that the business is forever crippled or goes bankrupt.
Many organizations not only paid ransoms and didn’t report them, they may also have done something even worse: consorted with criminals sanctioned by the United State government. The United States Department of Treasury Office of Foreign Assets Control (OFAC) has sanctioned a number of malicious cyber actors, including those behind Cryptolocker, SamSam, WannaCry 2.0 and Dridex ransomware. Dridex was specifically run by a foreign actor known as Evil Corp, and, led by Maksim Yakubets, stole over $100 million from forty financial institutions. All told these foreign actors create a problem not just for the organizations they rob, but also by helping fund and support global bad actors, including state actors against the interests of the United States.
In the direct words of OFAC: “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”
In layman’s terms that means that an innocent company may pay a ransom and find that they now have a nexus with sanctioned activities. In the words of OFAC: “Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
There are enforcement actions that could be used include monetary penalties, and are not limited just to the companies the paid the ransom, but also companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations and companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). Sanctions may be mitigated by certain activities, but at the end of the day the risks are high.
What can be done?
So what can be done. First and foremost working with the proper authorities is a start, and following the appropriate steps. Contact the appropriate government agency, and there is a licensing process for paying ransoms. While licensing attempts come with the presumption that they will be denied this is a first step. By working with the proper authorities an organization will be able to at a minimum mitigate any penalties and assure that enforcement activities can be slight or not happen. More importantly this can help the investigation of the bad actors to prevent further attacks.
At the end of the day paying a ransom is a dangerous choice, with no assurance that public embarrassment or leak will be avoided or files will be returned. As threats grow and more organizations are attacked and affected the more coordinated the efforts of law enforcement the better chance we have of stopping them. Either way, the best offense is a strong defense, and ensuring that the proper cybersecurity measures are in place is the best way to reduce the risks of attack.