The ways organizations should react following a ransomware attack were discussed during a session at the RSAC 365 Virtual Summit.
This topic was highlighted in context of an advisory issued in October 2020 by the US Department of the Treasury concerning the payment of ransomware. Adam Hickey, deputy assistant attorney general, National Security Division, Department of Justice, explained that “essentially it reminds the audience that if you engage in transactions with a sanctioned entity or person, you can be civilly liable, and the Treasury has the authority to bring an enforcement action even if you didn’t know what you were doing.”
This advisory covers malicious actors that have been designated under the scope the Office of Foreign Assets Control (OFAC)’s cyber-related sanctions program, including Cryptolocker, SamSam, WannaCry 2.0 and Dridex. Hickey added that it outlines factors that will impact the Treasury’s judgement on whether a penalty is appropriate. This includes “whether the US company or entity had a risk-based compliance program in place, designed to identify and mitigate sanctions risk” and also if the victim “reached out to law enforcement and was transparent with them.”
While some have viewed this as harsh on ransomware victims, Hickey said the guidance is aimed more towards the intermediaries that may be relied on to make a ransomware payment, such as insurance firms and forensic companies, helping ensure they develop risk-based compliance programs.
Such a strict approach is necessary amid rising ransomware attacks to make all online users safer, according to Hickey. He commented: “As an individual entity you may be better off paying the ransom, but all of us are worse off if you do because with every dollar that goes to the ransomware operator, it expands the market for it, making it more profitable, and ensures that there will be more ransomware in the future.”
However, Stewart Baker, counsel at legal firm Steptoe & Johnson LLP, was not convinced this approach will be effective in its overall aim of deterring ransomware gangs, and may simply serve to inflict additional burdens on organizations already reeling from an attack. He noted that while the advisory may be primarily aimed at the facilitators of payments and helps make that clear, the reality remains that “if you pay it you are clearly subject to liability under OFAC.”
With many businesses, such as those with inadequate backups, often left with little choice but to pay ransoms, Baker commented that “all it really does simply add to the pain the victim suffers and I’m not sure it’s going to affect the people who are serving ransomware,” adding that he has not seen any evidence that ransomware actors are even deterred from using old tools and techniques on the cyber-related sanctions program.
Nevertheless, Hickey believes the message the guidance sends out is important because encouraging paying ransoms is inherently worse for everyone, especially if it is conducted by rogue nation state actors such as North Korea and Iran that may use any payments to help fund terrorist activities. He also hopes it will encourage organizations to better protect themselves against such attacks. “Fortunately there are ways victims can protect themselves to some degree from ransomware, like backups,” he outlined.
Hickey concluded by stating it is always best for companies in such a position to inform law enforcement and be open and transparent about the situation. “Even if you think paying the ransom is the only option, it could leave you less secure in the future, because there’s no guarantee that the bad actor is going to pull every tool you have off your network – if you pay once why wouldn’t you pay again?” he said.