Who is OFAC? What is the deal here? You will learn all of that in a minute. But first, let us focus on this word Ransom, what is it?
Paying a ransom is not something new. It has been used in the early 1800s to pay for release of a prisoner. In today’s day and age, this word is very widely used in the Cybersecurity space with billions of dollars in Bitcoin being paid as a ransom for release of information that was encrypted or stolen by the bad actors (the bad guys/gals) every year.
While it is very natural for an organization or individual to make payments in the hopes of getting their sensitive data back, often times promises are not kept and there are other issues such as repeat of the same attack.
Here are few examples of ransoms that was paid 2019 to the bad guys where the organization paying the ransom was able to get its data back.
- Park DuValle Community Health Center, Kentucky, USA
Amount paid: $70,000
- La Porte County, Indiana, USA
Amount paid: $130,000
- Jackson County, Georgia, USA
Amount paid: $400,000
- Lake City, Florida, USA
Amount paid: $500,000
There are many more…
Most of these organizations used Cyber Insurance and were able to use some part of its payout as payment to the cyber criminal. Also, most of these organizations contacted FBI or other US Agencies and worked directly or indirectly to negotiate and process the payments.
The big question to be answered comes when you are at the crossroads of whether to pay the ransom or simply accept that the data is lost and then plan to spend millions of dollars in recovering from such an incident. While the answer to this question is not straight forward like any other decision in the Cybersecurity space. It is often answered in a haste or without considering all risks. Take the example of City of Atlanta,
The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin.Newman, L. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved October 03, 2020, from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/
Then there are other considerations such as organization’s reputation, continuing business operations and putting proper counter measures in place to prevent this from happening in the future. There is however one more thing that you have to consider in the form of this simple question.
Are you violating any rules and regulations of the U.S Department of Treasury’s by making a payment to the bad guys?
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently put out an advisory – Ransomware Advisory (Link) bringing up several important things to consider for organizations affected by ransomware or companies* who are assisting organizations hit by ransomware.
* These companies include Law firms, Cybersecurity insurance companies, or Financial institutions facilitating the ransomware payments.
Let us look at a few highlights of this Advisory:
OFAC states that these ransom payments could facilitate the bad actors and the states they may represent to support their illegal activities.
Ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.U.S. Department of the Treasury. (2020, September 28). Retrieved October 03, 2020, from https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001
OFAC has designated these malicious actors, aka our bad guys, under its cyber-related and other sanctions programs. OFAC uses these sanctions to effectively enforce foreign policies and national security goals.
So what does it really mean? If you or an organization were to pay the ransom in any way or form to an cyber-criminal, aka bad guy, and this individual or entity happens to be in one of the sanctioned countries , then you will be violating OFAC’s regulations. Simply put these payments with the sanctions nexus (associated or connected with the sanctions) threatens the U.S. National Security Interests.
So what should an organization that actively dealing with a ransomware attack do?
The OFAC’s Ransomware Advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately. At the end of the document, it lists all the departments that you may need to contact, such as:
- U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
- Financial Crimes Enforcement Network (FinCEN)
- Cybersecurity and Infrastructure Security Agency (us-cert.cisa.gov)
- Homeland Security Investigations Field Office (ice.gov)
- Federal Bureau of Investigation Cyber Task Force (fbi.gov)
- U.S. Secret Service Cyber Fraud Task Force (secretservice.gov)
In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous, adding to the various risks that an organization should consider when planning their Business Continuity and Disaster Recovery programs. While this article focused on United States and affects US Persons and Non-US Persons. It will be worthwhile to research regulations and laws in your regions of business operations.
Looking for the OFAC’s Ransomware Advisory, check out this page: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001