It has been reported that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
As financial losses from cyber crime activity and ransomware attacks, in particular, have skyrocketed in recent years, the U.S. Treasury Department has imposed economic sanctions on several cyber criminals and cyber crime groups, effectively freezing all property and interests of these groups and making it a crime to do business with them. Until now, the risk decision in paying a ransom was on the victim and their insurers which left them in control of potential life and death decisions depending upon what products and services are threatened with a ransom.
Now the government has given clear guidelines and those risk decisions now include factoring in fines and potentially criminal charges to the insurer\’s that agree to pay ransom\’s on behalf of their customers. Let\’s hope the government thinks carefully about the sanctioned cyber criminals or groups included on its list and provides a rapid means of petition for life and/or death. The last thing we want is to bayonet the wounded. If someone is already a victim, we should be careful not to add insult to injury.
Ransomware attacks are continuing to rise, and without a doubt the stakes are getting higher. These attacks are increasing in volume and sophistication and while it might be tempting to pay a ransom, doing so only fuels the fire. We are seeing more instances where the public and private sector respond to the pressure and pay the ransom. In addition to this week\’s OFAC advisory, Senators Warren and Wyden have both introduced separate bills that would hold corporate executives accountable if they fail to take cybersecurity seriously.
Ransomware attacks and other cyberthreats will continue to remain constant as our personal lives and business operations continue to digitalise. That’s why choosing to pay a ransom is too often a short-sighted response that could come at a high cost. Research has shown that paying a ransom can double the cost of recovery. Building, maintaining and constantly improving an organisation’s cybersecurity program is always the best approach and there are certainly tools available today that provide cost effective solutions.
Fortunately, choosing to pay a ransom is not an approach we’ve seen corporate boards take in the industrial networking and critical infrastructure space. Paying a ransom can be a slippery slope – and even illegal in some cases as we now see with the OFAC advisory. Organisations that give into hackers’ demands are only supporting the profitability and growth of ransomware activity. When it comes to ransomware attacks, prevention will always be better than a cure.