Ransomware Advisories: Is Your Cybersecurity Firm Ready?

Uptake and Update on Ransomware

Ransom demands continue to grow at an increasing rate in 2020 with data exfiltration employed more and more in the number of incidents that we see. Many clients seek our guidance as to whether they should or should not pay the ransom and whether there are any regulatory issues at play.
CyberClan understands the impact of increased ransomware events and the sophisticated tactics that third-party criminals are using to encrypt multiple devices simultaneously while also deleting or encrypting backup files. Recently, third party criminals exfiltrating data before spreading ransomware is becoming more common as well. The anonymity of cybercriminals does raise the potential for concerns regarding sanctions.

On October 1, 2020, the U.S. Department of Treasury’s Office of Terrorism and Financial Intelligence published two advisories on sanctions and anti-money laundering risks of facilitating ransom payments. These advisories came from both the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) and have serious implications for businesses and individuals handling ransomware attacks.

Overall, the advisory reinforces that payees of ransom demands should rely on experts to assist with their due diligence and work with law enforcement to ensure that the payment is both commercially and legally appropriate. Additionally, experience in incident response is critical, and your cybersecurity advisors should be utilized as an informed and experienced partner to assist in navigating this ever-evolving area.

When encountering a ransomware attack, a cyber forensic firm is generally retained to undertake this due diligence in order to ensure that a payment is not going to be made to an organization, group, individual, or country that is reasonably suspected of being on a national or international sanctions list. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated. This is a critical step to maintain propriety in handling attacks while minimizing business interruption.

Too often a company will jump to pay a ransom due to their desire to maintain business continuity and stop any further damage due to the breach. However, with most threat actors remaining anonymous and demanding payment in various cryptocurrencies, it is paramount to the safety of the company, as well as any service providers engaged, to check with all regulatory bodies. A company and its service providers will otherwise leave themselves exposed to criminal charges or other potential violations of U.S. sanctions and anti-money laundering laws.

CyberClan policies and best practices are aligned with the recent OFAC guidance and reinforce what we already know.

  • Applications for licenses to make ransom payments will be handled with a presumption of denial, which may be based solely on U.S. policy interests.
  • Payments to sanctioned individuals and/or entities can result in significant penalties.
  • Cooperating with law enforcement is essential. Although many of our clients do work with law enforcement, we know that many clients are not reporting incidents. OFAC’s guidance underlines the importance of early and continuing cooperation with law enforcement as a “significant mitigating” factor in the enforcement context.
  • The U.S. government encourages organizations not to pay ransom demands although there is prohibition in doing so.
  • Specific malware and individual treatment of dealing in different cryptocurrencies is not mentioned and neither is there a tacit obligation to communicate with OFAC during a ransomware event.

CyberClan engages in all proper due diligence which includes ascertaining key identifiers during the ransomware event to demonstrate to any regulator that reasonable steps were taken to mitigate any association with a banned entity. Additionally, completing a proper and thorough sanction check is critical, as well as ensuring all relevant documentation pertaining to the investigation, sanctions, and the due diligence is filed and maintained should there be a subsequent investigation.

The advisories also encourage contact with the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a U.S. financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.

Knowledge Base

Podcast: Information Security with CTO Larry Whiteside, Jr.

Episode Summary During Cybersecurity Awareness Month we received several questions on a host of topics and are happy to bring some follow up answers to our audience. This week we

Read More +

How Should We Think About the Internet of Medical Things

The term, Internet of Things (IoT), was first coined in 1999 by an executive at Procter & Gamble who was trying to gain momentum for new RFID technology.  It wasn’t

Read More +
icon-dark icon-light icon logo-light