Written By: Jonathan Arena, CISSP, ITIL, CSM
President & Founder of White Clay Technology
This document should be considered critical knowledge for any business or organization that has been or could become crippled by a cyber-attack (which covers just about everyone.)
At the beginning of October 2020, the US Treasury Department came out with a brief on their concerns about ransomware victims making the ransom payments. Ransomware has become the weapon of choice among cyber criminals and a major source of their revenue over the past two years. The average ransom is now over $111,000 USD. These are not your stereotypical, basement-dwelling, hoodie-wearing hackers doing this. This is 21st century organized criminal activity, oftentimes backed by rogue or competitive nation-states.
The US Treasury’s OFAC (Office of Foreign Assets Control) Division has made several declarations in this document. Some of these are not new, but rather reminders. For example, if you are doing business with an embargoed country such as Iran, North Korea Cuba, the Crimea region of Ukraine, or Syria you are going to catch OFAC’s attention.
What is less known is that OFAC also keeps a blocked persons list as part of the International Emergency Economic Powers Act (IEEPA). This list includes several cyber-criminal groups.
Cyber criminals, we’ll just call them criminals for short, don’t care about laws. They will cause havoc and demand their ransom from whoever they can take advantage of. Increasingly, but not exclusively, that is small businesses who do not have the appropriate countermeasures available to withstand a ransomware attack, other than to quietly pay the ransom.
This puts ransomware victims in a precarious situation about how to proceed. Below, I have outlined the key points of the OFAC document, and translate their meaning:
- “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
What This Means: In addition to being the casualty of a ransomware based cyber-attack and potentially losing all of your important data, OFAC is also going to fine you if you knowingly (or unknowingly) funded the criminals that are on their sanction list.
- “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).”
What This Means: If you’re helping the victim mitigate their ransomware incident, you’re also liable if you suggest that they pay the ransom.
- “OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.”
What This Means: Take common sense steps to minimize your risk. Back up your data in a remote location regularly, encrypt your critical data, and practice good cyber hygiene.
- “OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.”
What This Means: While they’re still planning on fining you if you do pay the ransom, you should still report the crime, and work with law enforcement from the beginning and they may be lenient…maybe.
So, in short:
- Be sure to take the necessary steps to appropriately reduce your cyber risk so you do not get into a ransomware situation.
- It is always best to not pay the ransom.
- Cyber insurance, forensics, incident responders and financial institutions will no longer tell you just to pay the ransom and move on, as that now places liability on their shoulders.
- You should always inform law enforcement immediately when you have a ransomware incident so it is recorded, to reduce your civil liability should you need to pay the ransom.
While the OFAC rules may seem unfair to the victim organizations of these crimes, from their perspective they are looking out for the best interests of the nation as a whole.
By taking these measures they are discouraging anyone from paying a ransom, but they are telling us all to stay vigilant, and to take the necessary precautions for an event that we know is inevitably coming.
(You can read the full brief at: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf).
For more information on White Clay Technology, please visit us at https://www.whiteclaytechnology.com
Jonathan Arena is a recognized technology & cyber security expert. He has spent 25 years in the managed service provider segment of the IT industry serving Fortune 500 clients and small business clients alike. He is the President & Founder of White Clay Technology and RealTechPros. Jonathan is also a Technology, Cyber Security & Data Privacy professor at Wilmington University in Delaware.
Jonathan has served on multiple academic boards including the Cyber Security boards for the University of Delaware, Rutgers University and Ithaca College, as well as the Wilmington University Technology Course Advisory Board.
Jonathan is CISSP, ITIL & CSM certified and he holds a bachelor’s degree from Wilmington University. Jonathan was named a “2016 Delaware Achiever & Innovator Under 40” by the Delaware Business Times.