When it comes to ransomware, we have always stood firm in our recommendation not to pay whoever is responsible for locking down your systems. However, due to the globalized nature of technology and cybercrime, it is even more important that companies don’t attempt to placate their attackers with the demanded funds. Otherwise, warns the United States Treasury Department, these victimized businesses could very well pay severe fines for doing so.
Here’s the situation: in today’s increasingly connected world, cybercriminal activities can be conducted from essentially anywhere and target essentially anyone. It isn’t like the old-fashioned stick-‘em-up robbery, where the criminal had to be present to commit the crime. Now, someone in Portugal could presumably rob the Federal Credit Union of Poughkeepsie without getting up out of their poltrona.
One particularly effective tool that many cybercriminals will now use to do so is ransomware—a malware that encrypts a system and renders it effectively useless, only offering the user the means to pay the criminal responsible some fee in exchange for resumed access to their resources. Whether the cybercriminal holds up their end of the bargain is another, highly unlikely story.
As we’ve said, we recommend that you never pay these attackers… but we do understand why you may feel that is your best option. After all, it seems like the fastest way out of a bad situation and when your business is hemorrhaging money due to downtime, you’re going to want to fix the situation as quickly as possible. This is precisely what the cybercriminals are counting on.
Despite this, it really is a bad practice to pay for resumed access to your data for a number of reasons, not the least of which being the fact that you’ve no guarantee that your data will actually be returned and that the money you send will only fuel more attacks.
However, that’s just the start of your problems, should you elect to pay up.
To try and discourage ransom payments, the Treasury Department is doubling down on the advice that the Federal Bureau of Investigation has been giving for years. Rather than simply discouraging businesses from paying, the Treasury Department has warned that the federal government could severely fine the businesses that pay out these ransoms for violating terms laid out by the Treasury’s Office of Foreign Assets Control.
In their Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, OFAC outlines how many cybercriminal groups—including the North Korean Lazarus Group, the Russian cybercriminal syndicate Evil Corp, and individuals tied to SamSam and Cryptolocker—operate out of regions that are already subject to economic sanctions, or have had sanctions levied against them. These sanctions make it a crime to make any transactions with them…including ransomware payments.
After all, once that ransom is paid over, who's to say that the money doesn’t wind up in the hands of some entity that poses a direct threat to security?
Unless given a special license by the Treasury, a business that facilitates ransomware by paying up could not only see losses in the amount of the exorbitant ransom demands, but also in the fines that could be levied up to millions of dollars.
Technically speaking, this advisory isn’t an outright ban on ransomware payments, per se. Instead, companies are encouraged to contact law enforcement to obtain clearance to pay the ransomware or to try to obtain an OFAC license to do so. However, these requests are more than likely to be denied.
There is also no telling how much these policies will be enforced, but it is almost certainly wiser to take them at face value and act accordingly.
Adding to the complexity of the situation, this advisory flies directly counter to the advice that many insurance companies give their customers, as their advice is often to pay the ransom. The theory is that paying the ransom would ultimately be less expensive than recovering from a backup and undergoing the associated downtime—but ultimately adding to the growing ransomware problem.
These sanctions would effectively make it impossible for insurance companies to cover the costs that their policies guarantee, and it isn’t as though these companies will act in a way that violates these mandates.
Therefore, cyberinsurance policies will likely no longer include ransomware coverage. This may result in many businesses second-guessing if investing in insurance is worth the cost.
Regardless, for companies to protect themselves from the threat of ransomware, there needs to be a greater awareness of how to avoid the risks and the importance of doing so. This is especially the case right now as so many people are working remotely.
Ransomware attacks are commonly spread via phishing messages, often packaged in attachments or through disguised download links. Make sure your team members are all aware of this threat, and how they can better spot a phishing email as it comes in.
For more information on how to do so, and other security best practices and solutions, turn to us at Heart of Texas Network Consultants. As a managed service provider, our mission is to help your business manage its information technology so that you can remain productive—which includes protecting it as best we can from a variety of threats. Learn more by giving us a call at (254) 848-7100.