BY MARK LANTERMAN
Ransomware, as most of us know by now, is a type of malware that takes data or devices hostage, with cyber attackers demanding the payment of a ransom in exchange for restored access. Preparation is the critical factor when it comes to handling a ransomware attack. Strong backup policies are essential for mitigating data loss; adhering to best security practices, such as the use of encryption, also better enables organizations to respond to cyber threats. While attackers may still have the ability to threaten the publication of data, it is always advisable to not pay ransoms. Paying a ransom puts an organization at greater risk of repeat attacks. But paying a ransom is also ultimately risky for another reason—it may be a violation of U.S. sanctions laws.
Given the increased reliance on remote work capabilities in 2020, ransomware attacks abounded. This added threat led the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) to issue an advisory in October detailing the additional compliance risks associated with paying ransoms. On a national level, “ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.”1 Even if the identity of the attacker is unknown, a victim may still commit a violation if they pay a ransom to a sanctioned individual or entity. Furthermore, individuals who assist or facilitate payments on behalf of a victim—including attorneys, insurance companies, and security vendors—may also be at risk of sanctions violations.
When confronted with a ransomware attack, organizations become panicked and want the incident to be resolved at any cost. Many of them rush to pay the cyber terrorist. The risk of losing access to data can be preventively managed with a strong data backup policy, along with the implementation of strong information security controls. In some instances, organizations may still feel the need to pay cyber attackers in the hope that doing so will prevent publication of their data. But paying the ransom does not guarantee that the attacker will actually do what they say; it remains a possibility that the data will be posted or sold regardless of whether the victim pays. Paying ransoms fuels cyberterrorism internationally and puts the victim, and others, at greater risk.
OFAC guidelines
While the penalties for violating sanctions laws are steep and contribute to the legal, reputational, financial, and operational risks that accompany ransomware attacks, OFAC provides guidelines for appropriate response procedures and ways to potentially mitigate the repercussions of inadvertently committing a violation. If a violation is identified, “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response.”2 A Framework for OFAC Compliance Commitments has been published to assist organizations in creating this type of program.3 Having this in place reduces the risk of a violation to begin with, and potentially improves the outcome in the event of a violation. The five key categories identified by OFAC as primary components of a risk-based program are similar to the necessary factors contributing to a strong security culture. Proper response procedures at the time of an attack also reflect favorably on an organization, including contacting OFAC and appropriate law enforcement agencies.
In assessing the potential risks associated with ransomware, it is important to consider the possibility of violating sanctions laws. Cyberattacks often come with a web of risks; preparation and adherence to best practices help to offset the uncertainty. Developing a strong compliance culture and establishing a strong incident response plan are important to proactively address risk.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
2 https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
3 https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf