The Matrix
{ Blog Post Bio Photo }{ Blog Post Bio Photo }

Ransomware On the Rise: Unwary Victims May Pay Twice

Posted by

Given the speculation and concern over ransomware attacks impacting the 2020 U.S. election, the recent spate of private companies falling victim to such attacks, and the October 1, 2020 advisory issued by the Department of Treasury (“Advisory”), it is no surprise that ransomware is trending in cybersecurity.

As defined in the Advisory, ransomware is a type of malware attack “designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.”

A likely scenario is a threat actor delivering malware by sending an email to a corporate employee and disguising the malware as a seemingly legitimate hyperlink or attachment. Once the employee clicks the link, the malware is downloaded onto the system and encrypts—or locks—corporate data. The threat actor then demands payment—usually in the form of bitcoin or other cryptocurrency—in exchange for the decryption key to unlock the data.

OFAC issues advisory warning regarding sanctions for ransomware payments.

Ransomware attacks place companies in a precarious scenario where they risk falling victim twice. First, to the threat actors in the form of lost data and/or funds paid. Second, to regulators and government entities for facilitating payment to cybercriminals.

Federal agencies generally advise against paying ransomware payments. After all, there is no guarantee that criminals will provide the victim with the decryption keys needed to regain system access.  In addition, ransomware payments further criminal activity and encourage subsequent cyber-attacks.  Nevertheless, some entities have no choice but to regain access to data and system functionality.

The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) imposes sanctions—including significant monetary penalties—on U.S. entities that engage in transactions with individuals and organizations on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), regardless of where the U.S. entity is located. OFAC’s authority to regulate such transactions is provided by the International Emergency Economic Power Act and the Trading with the Enemy Act.

According to OFAC, funds used to pay cybercriminals’ ransomware demands may be used to support illicit activities that are contrary to U.S. national security and foreign policy objectives. Because U.S. persons are generally prohibited from engaging in direct or indirect transactions with individuals on the SDN List, any ransomware payment that falls within that prohibition may subject the violating party to OFAC sanctions.

OFAC’s strict liability approach.

OFAC’s Advisory makes it clear that ignorance of the law or third party facilitation of transactions will not excuse otherwise violating conduct. Any transaction by a non-U.S. person that causes a U.S. person to engage in a prohibited transaction—whether or not the transaction is facilitated or initiated by the U.S. person—subjects the U.S. person to strict liability, even if the U.S. person did not know or have reason to know it was engaging in a transaction with an entity on the SDN List.

OFAC considers several factors when determining an appropriate sanction for violations, including the “existence, nature, and adequacy of a sanctions compliance program.” OFAC thus encourages companies to implement compliance programs to avoid or reduce sanctions in connection with prohibited transactions to SDN List entities.

Looking forward.

Individuals at the decision-making level should be apprised of the regulatory boundaries imposed by OFAC when facing a ransomware scenario and/or selecting a ransomware payment vendor.  Additionally, entities considering whether to pay a ransomware payment must take steps to minimize the risk of violating OFAC.  Such measures should include reviewing any available identifiers of the ransomware attacker, like its cryptocurrency wallet address or ransomware version, against the SDN List. Given the clear statements from OFAC regarding the strict liability U.S. persons face for facilitating a covered payment through a non-U.S. person and/or through an intermediary, vendor diligence in this context is particularly critical.

Among other things, entities should also:  (1) review and, if necessary, update their incident response plans to analyze whether ransomware actors are contained on OFAC’s SDN List before making payment, and potentially to notify OFAC before making payment in situations where there is a concern a payment may involve a sanctions nexus, and (2) review cyber insurance policies to understand whether the OFAC Advisory causes an impact on coverage.

Of course, the ideal scenario is to avoid or prevent ransomware attacks in the first instance—before any data is held hostage. There are a number of technical, administrative, physical cyber controls that may be employed, but one of the most important components of a ransomware security plan is a robust data backup program.  By maintaining an offline and encrypted backup of its records, an organization is less likely to face a scenario where business-critical data is completely inaccessible because the offline backup should not be impacted by ransomware infecting the network.  For example, certain types of ransomware are designed to specifically locate and delete backups contained on the network.

Offline backups are just one piece of the ransomware defense puzzle.  The Cybersecurity & Infrastructure Security Agency (“CISA”) issued a Ransomware Guide earlier this year.  Among CISA’s recommendations are regularly updating and patching software and hardware, training network users to spot and avoid phishing attempts, and implementing intrusion detection systems. CISA’s Ransomware Guide also includes a helpful Ransomware Response Checklist.  

Finally, OFAC encourages ransomware victims to notify OFAC immediately if there is a concern that a purported ransomware payment may involve a sanctions nexus. OFAC will consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant factor in determining an appropriate enforcement outcome if the situation later is determined to have a sanctions nexus.”

Attorneys in Honigman’s Data, Privacy, and Cybersecurity group are equipped to handle legal issues involving ransomware from all angles, including developing compliance programs designed to mitigate payment sanctions, conducting ransomware payment vendor diligence, implementing controls and training, and navigating regulatory disclosures, investigations, and potential sanctions.

Jump to Page