We haven’t exactly been shy about sharing our recommendation that a ransomware demand should never be met with payment, but there is now an even more impactful reason not to. This deterrent comes courtesy of the United States Treasury Department, which has released a statement informing businesses of potential fines as retribution for doing so.
Let’s review how ransomware can be so costly, and what costs these fines could add to it.
Thanks to how connected the world is today, criminal activity has a much longer reach than it ever has. Just compare the old stagecoach robberies of the Old West, where bandits literally had to run down their targets on horseback, to the cybercrimes that are committed today. Nowadays, cybercrimes can easily strike the businesses and residents of Chicago while—somewhere in Romania—the perpetrator lounges on their canapea.
To accomplish this, many cybercriminals have turned to using ransomware. Ransomware is a variety of malware that encrypts a targeted system, effectively rendering it useless until a handsome ransom is paid for the release of the locked-down data and resources. Unfortunately, there is no guarantee that the cybercriminal won’t just take the money and leave the system as is. This outcome is just as common as one might assume.
Hence, our advice that one should never pay the ransom that these cybercriminals demand. While we completely understand that it may seem to be the quickest way to restore your data and resume your operations (and for many, quite possibly the only hope they have of doing so), this is precisely the thought that the cybercriminals want you to have in mind.
Therefore, paying for your access to your data to be restored simply isn’t an advisable strategy, if for no other reason than the very real risk that your data won’t be returned to you even if you do pay. Furthermore, any money you give the attacker will likely just help them finance more attacks.
However, with the Treasury Department’s statement, these issues become just the start of your problems if you do choose to pay the ransom.
Rather than simply advising businesses not to pay, the Treasury Department is implementing more punitive measures. Now, the Treasury Department warns, the federal government could levy some significant fines against businesses for paying these ransoms, as doing so could very well violate terms that the Treasury’s Office of Foreign Assets Control (OFAC) has established.
OFAC released an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, wherein it was outlined how many cybercriminal groups (including the Lazarus Group out of North Korea, the Evil Corp syndicate from Russia, and numerous individuals tied to SamSam and Cryptolocker) primarily operate out of regions that are subject to economic sanctions. As a result, any transactions made with these groups are themselves a crime, including any ransomware payments.
After all, it is entirely possible that these payments could wind up assisting some other direct threat to national security. Therefore, unless given special dispensation from the Treasury, a business that pays up a ransomware demand could very well have millions of dollars in fines to pay to Uncle Sam after the fact.
For some clarification, this advisory doesn’t technically ban ransomware payments carte blanche. Rather, it is meant to encourage companies impacted by ransomware to either reach out to law enforcement to gain clearance or to obtain a license from OFAC before handing over any funds. It is important to acknowledge, however, that these permissions aren’t likely to be granted.
Of course, we have no way of knowing how strictly these policies will be enforced, but being safe rather than being sorry is a good policy in these circumstances.
Making a complicated situation even more complex, OFAC’s advisory is completely at odds with the advice that many insurance companies give their policyholder clients to just pay the ransom and make a claim for the losses. The idea behind this is that just paying the ransom would be less costly than dealing with the expense and downtime that recovering from a backup would hold… but at the same time, this course of action doesn’t exactly discourage cybercriminals from leveraging ransomware in their attacks.
With these sanctions in place, insurance companies would no longer be able to provide such policies, as the costs of doing so would be prohibitive—even if providers were to condone paying these ransoms. As a result, it is possible that cyber insurance policies may eventually stop covering ransomware, which in turn may lead to many businesses reconsidering their investment into such policies.
With these circumstances, it is even more important that businesses can protect themselves from ransomware, which means that there will need to be increased awareness into the risk factors that precede it. This is particularly true, given the recent upswing in the number of remote workers.
Make sure that your team knows how common it is for ransomware to be spread through phishing messages, disguised as attachments or links. This will help to keep them more aware of the risk and be more on their guard in case an attack comes their way.
For more information about ransomware and how to avoid it, or any other security concerns and the solutions that help address them, reach out to Citara Systems. Our team of experienced IT experts is here to lend a hand as you protect your business. Learn more about what we can do by calling (508) 532-0837.