Many companies take a “no pay ransomware” stance until they are faced with a ransomware attack, especially an attack that causes a significant business disruption. At this point, the company can reconsider its position (or at least make an exception for a one-time ransomware payment). The problem is that the payment can be illegal if it is made to certain embargoed countries or threat actors.
On September 21, 2021, the Office of Foreign Assets Control (OFAC) of the US Treasury Department updated his review address the risks of sanctions associated with the payment of ransomware actors. Many malicious cyber actors are located in embargoed countries such as Iran and North Korea. In addition, OFAC has specifically sanctioned ransomware attackers and facilitators of ransomware transactions such as virtual currency exchanges. It is illegal for US nationals to deal with these sanctioned parties, and OFAC rules do not provide any exemptions for ransomware payments.
Here are the highlights of some key changes and new points of importance in OFAC’s orientations:
- Don’t pay! (And strengthen your defenses so you don’t have to)
- OFAC has been adamant in advising against the payment of ransoms: the “US government strongly advise against“pay ransoms.
- Why? Payments encourage bad actors, potentially threaten national security, and can constitute sanctions violations. Moreover, these players do not reliably meet their end of the bargain, often sending ineffective or malware-injected decryption keys or extorting a business again after making a payment.
- The best way to avoid ransomware payment penalty violations is to avoid ransomware! Thus, to completely avoid these problems, OFAC recommends “strengthening defensive and resilience measures to prevent and protect” against attacks.
- The update highlighted the 225% increase in ransomware losses from 2019 to 2020, and that no sector has been spared: large and small businesses; government and infrastructure entities; schools and hospitals.
- On September 21, OFAC also designated the virtual bureau de change SUEX to facilitate financial transactions for actors associated with at least eight strains of ransomware. As a result, all of SUEX’s property and property interests in US jurisdictions are blocked and US persons are generally prohibited from doing business with it.
- The designation serves as a useful reminder to exercise due diligence in ransom payment streams if payment is deemed absolutely necessary.
- OFAC has articulated “proactive measures” that companies can take that OFAC would consider “mitigating factors” in any enforcement action related to sanctions.
- OFAC has endorsed the best mitigation practices outlined in the September 2020 Ransomware Guide from the Cybersecurity and Infrastructure Security Agency (CISA).
- The CISA Guide contains recommendations that any entity should implement—for example, offline data backups; incident response plans; cybersecurity training; correction and updating of network systems; and multi-factor authentication.
- While many companies work with their forensic consulting firm (and insurance company) to identify whether a threat actor is from a country sanctioned by OFAC, OFAC will assign to entities that report incidents. Ransomware attacks link sanctions with the FBI, US Secret Service, CISA and other US agencies, treating it as voluntary self-disclosure under OFAC enforcement guidelines.
- A report made “as soon as possible after discovery” is a “significant mitigating factor” in any subsequent enforcement action.
- OFAC is also in favor of communicating details of the ransom demand and payment instructions to law enforcement.
- You can even help yourself as law enforcement may have alternative decryption tools and may recover part of your payment.
- OFAC now wishes to be contacted if there is “any” reason to “suspect” – not just to believe – that the threatening actor is being sanctioned or linked to someone who is. OFAC’s Law Enforcement Guidelines provide important mitigation for willful self-disclosure of potential violations when determining the appropriate enforcement action.
- Although OFAC reviews each case on the basis of its facts, it is “more likely” to resolve a ransomware-related violation with a non-public “no-action letter” or “warning letter” when a entity takes mitigating action and reports attacks to law enforcement. .
OFAC guidance update highlights how critical it is for companies to have a detailed ransomware response plan (as part of their incident response plan or a separate ransomware-specific policy). ) which explains how to detect, mitigate, recover and report an attack. Such a plan should also include specific considerations for the company as to whether, and in what scenarios, it will consider an exception to its position of non-payment of ransomware and payment of ransom. The risk of sanctions highlighted by OFAC should be part of this assessment. Formulating a response plan is just one aspect of a robust cyber defense that will help businesses avoid not only becoming cyber victims, but also the harshest consequences of penalties for paying a loss. ransom.
Questions? Please contact Dave Feder, Jim Koenig, Melissa Duffy, Tyler Newby or any member of the Fenwick Compliance group and / or the Privacy and Cyber Security practice.