Don’t Negotiate with (Cyber)Terrorists: OFAC Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
It’s of the utmost importance to understand that paying off ransomware attacks doesn’t just present a considerate risk to your business, but to the country as well.
On October 1, 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory detailing these risks due to a steep increase in demand for ransomware payments that have skyrocketed during the COVID-19 pandemic. Their warning was very clear:
“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.”
The advisory served as clear reminder that under the IEEPA (International Emergency Economic Powers Act) and the TWEA (Trading with the Enemy Act), it is expressly forbidden for citizens to engage in transactions, directly or indirectly, with individuals or entities on the Specially Designated Nationals (SDN) and Blocked Persons Lists. This includes countries covered by comprehensive embargoes like Cuba, Ukraine, Iran, North Korea, and Syria.
Note that if you’re found in violation of OFAC regulations, you could be subject to criminal penalties including a fine of up to $1 million and/or up to 20 years in prison for each violation. Civil penalties alone could include fines of up to $55,000 for each violation so when you also consider the fact that paying the ransom doesn’t actually guarantee the continued integrity of your recently compromised data, it becomes easy to see why this isn’t the “easy way out” that you were hoping it would be. Considering that 45% of businesses experience a ransomware attack yet only 26% of their files are recovered, the dangers of these attacks are evidently clear. One such story illustrating this fact occurred in 2019 when an employee of Riviera Beach City in Florida allegedly clicked on a phishing email which infected the city’s network with ransomware, resulting in every online system going down – including email, phone systems and water utility pump stations. After a quick discussion, the City Council voted unanimously to pay the ransom which, in this case, came out to nearly $600,000 and they still didn’t result in the recovery of all their lost assets.
As a cybersecurity expert, the scariest thing about today’s cybersecurity landscape is that we’re at the mercy of the awareness of the end user to identify red flags indicative of a ransomware attack and function as a first line of defense. Most ransomware payloads are still delivered the old-fashioned way via a phishing attempt and considering that approximately 70% of threat actors already have some degree of information about you, it doesn’t require much complexity to develop an effective ransomware attack. Despite today’s advanced security tools, the biggest obstacle we face is the human firewall and our natural reluctance to confront the root cause of this issue head-on. Sadly, many companies prefer to pay the ransom in the hopes that the problem will just go away which may seem like an effective idea in theory, but in practice, it hardly ever works out that way.
For all these reasons, OFAC encourages companies to create a risk-based compliance program to mitigate exposure to sanctions-related violations. In other words, they’d prefer that you put a plan in place now to proactively stop yourself from becoming a victim of ransomware in the first place and in the event you experience a breach, you can readily determine the root cause of that attack. They also encourage victims of successful ransomware attacks to contact OFAC immediately if they believe that any ransomware payment fall under the sphere of a sanctions-related violation as well as if the attack provides a significant disruption to your ability to operate. In those cases you should also contact the United States Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
This is all especially important to understand because ransomware is an unfortunate trend that shows absolutely no signs of slowing down anytime soon. If anything, based on its ease to deploy and relative effectiveness, it’s only going to get worse as time goes on. If last year’s 350% increase of ransomware attacks are of any indication of what’s to come, we’re bound to see these types of attacks increase alongside their complexity and financial impact. According to a number of industry sources, 2021 will see ransomware attacks occur every 11 seconds with breaches amount to an alarming $20 billion in lost revenue for SMBs. Rather than suddenly finding yourself in a position where you have to choose between A) losing all of your business’ critical data, and B) paying a ransom that ends up funding terrorists while also putting yourself on the receiving end of an OFAC violation, it’s better to do what you need to do today to help prevent this horrible event from occurring.
Setting aside the fact that not every organization has that amount of money laying around that they can just hand over to someone halfway around the world with malicious intentions, you also need to think about where that ransom may be going. Experts unanimously agree that a lot of this money isn’t just helping to fund organized crime, but it’s also directly contributing to terrorism around the world. This alone should be enough to get you to stop and think about alternatives should you ever find yourself in a similar situation.
Of course, the bigger issue is that paying any type of ransom (or facilitating the payment of a ransom) will put you at risk of violating OFAC regulations. This could have a major negative impact on your business that you may not ever be able to recover from- especially if you’re managing sensitive data like CUI or PII. That means you need a comprehensive approach to not only cybersecurity and business continuity, but you need it right away. At our Boston IT Support company, TSI, that’s something we always work hard to create for our clients and we’re honored to be the IT security partner to some of the country’s most trusted DiB contractors. So, if that sounds like exactly what you’ve been looking for, contact either myself or one of my colleagues at TSI today. Once we get your introductory phone call on the books, we’ll be able to learn more about what we need to do to make sure your business is protected regardless of where threats may arise.