Uptake and Update on Ransomware
Ransom demands continue to grow at an increasing rate in 2020 with data exfiltration employed more and more in the number of incidents that we see. Many clients seek our guidance as to whether they should or should not pay the ransom and whether there are any regulatory issues at play.
CyberClan understands the impact of increased ransomware events and the sophisticated tactics that third-party criminals are using to encrypt multiple devices simultaneously while also deleting or encrypting backup files. Recently, third party criminals exfiltrating data before spreading ransomware is becoming more common as well. The anonymity of cybercriminals does raise the potential for concerns regarding sanctions.
On October 1, 2020, the U.S. Department of Treasury’s Office of Terrorism and Financial Intelligence published two advisories on sanctions and anti-money laundering risks of facilitating ransom payments. These advisories came from both the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) and have serious implications for businesses and individuals handling ransomware attacks.
Overall, the advisory reinforces that payees of ransom demands should rely on experts to assist with their due diligence and work with law enforcement to ensure that the payment is both commercially and legally appropriate. Additionally, experience in incident response is critical, and your cybersecurity advisors should be utilized as an informed and experienced partner to assist in navigating this ever-evolving area.
When encountering a ransomware attack, a cyber forensic firm is generally retained to undertake this due diligence in order to ensure that a payment is not going to be made to an organization, group, individual, or country that is reasonably suspected of being on a national or international sanctions list. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated. This is a critical step to maintain propriety in handling attacks while minimizing business interruption.
Too often a company will jump to pay a ransom due to their desire to maintain business continuity and stop any further damage due to the breach. However, with most threat actors remaining anonymous and demanding payment in various cryptocurrencies, it is paramount to the safety of the company, as well as any service providers engaged, to check with all regulatory bodies. A company and its service providers will otherwise leave themselves exposed to criminal charges or other potential violations of U.S. sanctions and anti-money laundering laws.
CyberClan policies and best practices are aligned with the recent OFAC guidance and reinforce what we already know.
- Applications for licenses to make ransom payments will be handled with a presumption of denial, which may be based solely on U.S. policy interests.
- Payments to sanctioned individuals and/or entities can result in significant penalties.
- Cooperating with law enforcement is essential. Although many of our clients do work with law enforcement, we know that many clients are not reporting incidents. OFAC’s guidance underlines the importance of early and continuing cooperation with law enforcement as a “significant mitigating” factor in the enforcement context.
- The U.S. government encourages organizations not to pay ransom demands although there is prohibition in doing so.
- Specific malware and individual treatment of dealing in different cryptocurrencies is not mentioned and neither is there a tacit obligation to communicate with OFAC during a ransomware event.
CyberClan engages in all proper due diligence which includes ascertaining key identifiers during the ransomware event to demonstrate to any regulator that reasonable steps were taken to mitigate any association with a banned entity. Additionally, completing a proper and thorough sanction check is critical, as well as ensuring all relevant documentation pertaining to the investigation, sanctions, and the due diligence is filed and maintained should there be a subsequent investigation.
The advisories also encourage contact with the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a U.S. financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.