Paying Ransomware Demands May Cost You
Ransomware – True Costs
As if the challenges of COVID-19 weren’t enough, Ransomware has become an increasing threat to business in 2020. (see our January 2020 blog) and continues to be a threat as we close out the year. NOT paying a ransom to regain access to your files has always been the recommended option, providing all precautions have been taken to backup critical information. A new incentive has now been put in place by the Federal Government to discourage the paying of the ransom. Many of these ransomware hackers are not simply individuals looking for a quick buck but are well-established criminal organizations in countries regarded as enemies of the Western World or the United States.
The Office of Foreign Assets Control (OFAC) under the U.S. Treasury issued an advisory alert on October 1, 2020, (Ransomware Payments) serving as a warning to companies or institutions who have already been or may be the target of a ransomware attack. The advisory which runs to five pages, states that any organization paying a ransom to a ransom demanding attacker or any facilitator of the payment, “including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” may be subject to fines for violation of OFAC regulations.
Ransomware has been a major concern in recent years for organizations, both in the United States and abroad, having crippled municipalities, educational institutions, hospitals, and private companies in all industries. In the OFAC advisory, it is noted that this new wave of ransomware attacks have been “more focused, sophisticated, costly, and numerous.” This evaluation became evident from the increasing number of urgent alerts from the Federal Bureau of Investigation (FBI). The FBI has noted the increasingly sophisticated attacks which steal the data before encrypting it. The fact that the attackers now own the data and not just lock it up gives them increasing leverage in demanding a ransom.
Over the past few years, Ransomware has become a multibillion-dollar industry. Hackers have had great success in customizing their attacks to inflict the most damage on their victims. This often leaves companies with very few options to paying the ransom. The organizations’ encrypted data may be crucial to their operation and may not have been backed up. Some may feel that paying the ransom could be less expensive than a costly and time-consuming rebuild of company systems and databases. Additionally, some companies or organizations may opt to pay the ransom to avoid the public release of sensitive files, especially since there are increasing instances of file acquisition and storing in addition to the ransom demand.
The OFAC advisory intent is to discourage hackers by directing action against their source of revenue - the hackers’ targets who have had their data stolen and/or encrypted and may want to pay the ransom. OFAC clarifies its point that payment of a ransom encourages hacker organizations to engage in future ransomware attacks. The OFAC advisory also explains that organizations paying ransoms enable these criminals by providing them with additional funds to attack the United States’ national security and foreign policy interests.
To reduce the probability that companies and their payment facilitators will pay ransoms, OFAC plans to use its enforcement authority under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) by warning of sanctions for those companies that choose to pay. If this all sounds ominous, it is. The Federal government is determined to fight this ongoing threat and stopping the payments of ransom demands may be the most effective means. Unfortunately, in the short run, it seems to penalize the victim. Although the advisory does not specifically detail, violations of OFAC sanction regulations could result in very steep penalties. Companies or organizations violating these laws without a license from the Department of Treasury could face a fine of up to $20 million.
The government’s advisory does seem to acknowledge that, even given the potential penalties, some victims will still pay the ransom. OFAC does state that they will consider certain issues when reviewing appropriate enforcement for apparent violators of these regulations. According to the advisory, OFAC can also impose civil penalties for violations based on strict liability, meaning that the victim may be in violation of the regulations even if it did not know or have reason to know that the hacker compromising its systems was a sanctioned entity or in a sanctioned jurisdiction.
It is evident from reading the OFAC advisory that your company could be a victim twice. First by the actual attack with its ransom demand and again by the Federal government if you pay that ransom.
Let 10X Consulting Group assist you by calling 704-931-1056 and help you in developing a secure system with planned backup strategies to avoid the attacks and to protect your data and save your money from paying the ransom and the regulated penalties.