The decision to pay a ransom, often framed as a basic math problem, just became more legally complex.
Organizations that pay ransomware demands without a license or arrangement with the Treasury Department's Office of Foreign Assets Control (OFAC) could face financial ramifications, according to an advisory from the federal agency Thursday.
Paying ransoms encourages future ransomware demands and risks violating OFAC regulations, the agency said. Organizations that aid companies in covering or facilitating ransomware payment to criminals sanctioned by OFAC could also face penalties, including cyber insurers, digital forensics and incident response.
Organizations are in limbo. Pay a ransom at the risk of a fine from no less than the Treasury. The math problem organizations were solving for — does recovery cost less than the ransom — must now factor in an unknown quantity: fines.
"Larger companies and governmental organizations likely find it impossible to cover up a large-scale ransomware attack," said Mike Wilson, founder and CTO of Enzoic. But the FBI reportedly works with groups like cyber insurers, knowing that smaller organizations are often more inclined to pay ransoms unbeknownst to the public and law enforcement, said Wilson.
"But even that is likely missing all of the companies which either didn’t have cybersecurity insurance or the amount of the ransom was too small for them to bother making a claim," Wilson said.
For some industries, the stakes are higher and risking a ransom payment is worth the repercussions.
Cybercriminals targeted manufacturers, professional services, and government organizations the most in Q2 2020, according to data from IBM Security X-Force.
"Attacks on these three industries suggest that ransomware threat actors are seeking out victims with a low tolerance for downtime," the report said. Industries reliant on stable uptime are more inclined to pay a ransom to "regain access to data and resume operations."
Ransomware has also targeted organizations with mandates to guarantee data privacy: schools and healthcare. Last month hackers released student records in a Las Vegas school district with about 320,000 students after the district refused to pay.
A number of higher education institutions were hit in May and June and then again in August and September, according to IBM Security X-Force. Of those universities, some paid between $400,000 and $1 million in ransoms.
By May, at least 26 U.S.-based healthcare providers were hit by ransomware as cybercriminals capitalized on the COVID-19 crisis. Between April and June 29, only seven healthcare providers are said to have paid ransoms. The University of California San Francisco School of Medicine, felt compelled to pay because the encrypted data contributed to "serving the public good," according to the university.
When a ransomware attack struck University Hospital Düsseldorf in Germany last month, the operational disruption rerouted a patient with a "life-threatening condition" to another hospital 20 miles away, according to Emsisoft. The inability to admit the woman led to her death. It is largely considered the first death caused by a cyberattack, according to Ciaran Martin, the former head of the United Kingdom's National Cyber Security Center last month.
"If I had one policy card to play in the next year, I would ask for a serious examination of whether we should change the law to make it illegal for organizations in the U.K. to pay ransoms in the case of ransomware," said Martin.
The inundation of ransomware industry and local municipalities received in the last year is a "worsening problem," Brett Callow, threat analyst at Emsisoft, told CIO Dive in an email. The solution "is to impose a ban on the payment of ransom demands. If the flow of cash stops, the attacks will stop."
Paying incentivizes more attacks because it proves their profitability. Paying a ransom enables criminals and adversaries, "with a sanctions nexus to profit," contributing to future crimes," OFAC said.
While Gartner does not advise clients on whether or not to pay a ransom, Wam Voster, senior research director at Gartner, agrees that ransom payments prove the attacks are "worth the effort" for hackers.
"Secondly, you provide them with the means to do the same for other organizations," said Voster. "There are quite a number of organizations that only start thinking about ransomware when it's knocking on their door. And then of course, it's way too late."
An eye for an eye
As ransomware attacks become synonymous with data breaches, consumer data is left vulnerable. The FBI found a 37% year-over-year increase in ransomware cases between 2018 and 2019, and a 147% increase with their respective losses, according to the advisory.
The International Emergency Economic Powers Act and the Trading with the Enemy Act prohibits "U.S. persons" from engaging in ransom transactions, "directly or indirectly," with those outlined in OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List).
There is always a risk of an entity agreeing to a payment with an SDN person, or flagged hacker group. OFAC can penalize an individual "for sanctions violations based on strict liability … even if it did not know or have reason to know it was engaging in a transaction" with someone prohibited by OFAC, according to the avisory.
When OFAC calculates a penalty or action, the agency considers the victim company's "full and timely cooperation with law enforcement" during and after the cyberattack.
But "the incentives for organizations to conceal that they were attacked are all aligned in the wrong direction. Reporting the incident to law enforcement doesn’t have much upside," said Wilson. "The effort of reporting the incident may sap resources needed to deal with the downtime."
Because organizations face response procedures, costs, and fallout on their own, the incentives to report an incident are "misaligned," according to Wilson. If more resources were available to aid in recovery, there might be more transparency with law enforcement.
A strategic private and public sector relationship is needed. One solution is federal resources scanning U.S. internet vulnerabilities in corporate security, alerting and then consulting vulnerable parties through response, said Wilson.