Earlier this month, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory, reminding businesses that if they pay ransom to cyber hackers, they could be violating OFAC regulations.
At first glance, the advisory puts businesses that are already in an incredibly difficult situation, in an even harder one, with the reminder that the government may fine you for paying off ransomware hackers.
Earlier this week, we brought you The Ransomware Conundrum, which included key expert perspective on what this means for businesses that find themselves victims of ransomware.
Today, we hear more from Kelly Bissell, Global Managing Director, Accenture Security, on what this means for businesses.
The Cipher Brief: What is your biggest concern if the USG does decide to impose sanctions on companies that fall under the OFAC advisory?
Bissell: I do not have concerns with the USG stance but more around companies’ awareness.
I agree with the advisory and it reinforces what we often tell our clients: Don’t pay ransom. Paying ransom demonstrates to attackers that victims can be exploited and attacked again. It empowers the bad guys and contributes to the growth of more ransomware, making them and the world less safe.
The advisory bolsters important awareness: Those who pay ransom or facilitate such payments could be subject to sanctions violations.
We encourage our clients to be on the look-out for these attacks and to take actions today to prevent attacks, have verified backups, and have a practiced and quick response if it does happen.
The Cipher Brief: Does the threat of potential sanctions create an additional hardship for companies that find themselves victims of ransomware?
Bissell: It does not create hardship but does force companies to re-think their plans and understand the consequences for themselves and their cybersecurity insurance provider.
The sanctions regime isn’t new, but the advisory provides a good reminder. That said, if there is anything new, it is the suggestion that the U.S. government is looking to exercise more of its existing enforcement authority with respect to ransomware payments.
The advisory and sanctions regime target both victims and facilitators of payments such as the company, law firms, cybersecurity insurance providers, financial facilitators, and cybersecurity firms. Those facilitators may be in riskier situations because they could be making many payments and possibly paying the same actor multiple times. Government sanctions against ransom facilitators are also likely to have more of a deterrent effect.
The advisory also gives some important advice: Develop a compliance plan and build relationships with law enforcement.
Industry should not view this advisory in a silo. In the past, the FBI and DOJ have similarly discouraged ransom payments. This advisory was notable because it suggests potential enforcement action.
The Cipher Brief: Will it force companies and boards to adjust their strategies for dealing with cyberattacks like these?
Bissell: With the U.S government as the messenger here, yes, it should. If companies don’t have practiced incident response plans—they need them now. If they are building them, it is critical to involve their operations, finance, and legal teams, with law enforcement and regulators as key partners. They need all these players in a practiced playbook before bad things happen. When an event happens, everyone will be critical to informing what actions to take, when, including how to deal with a request for ransom and how to work with law enforcement, how to recover data, and what to tell customers.
It is important to remember that many times, it is difficult to know the actual identity of the threat actor and therefore difficult to determine positively whether or not the actor is a sanctioned entity or in a sanctioned country. As the advisory noted, a business can be held liable even if they don’t truly know the identity of the attacker. Leaders should work with their Legal and Compliance teams to develop a compliance program that takes this into account – considering for example understanding the SDN lists and how to check names, organizations and wallets against it, and using threat intelligence to try to learn more about the attacker and the indicators of the compromise.
Also, work with law enforcement. The first time you speak to law enforcement should not be during a crisis. If a company has reason to believe or suspects that the threat actor is a listed entity communication with law enforcement would seem even more important.
A new tactic, referenced in our just-released Threatscape report to name and shame victims into paying the ransom adds a new dynamic to this environment. Victim costs are going up. It’s not just about reconstructing data anymore—there are significant trust and reputation costs to consider. This is even more reason to have fulsome incident response plan that involves all the right internal and external stakeholders—not just the cybersecurity team.
The Cipher Brief: Are there additional things the federal government could be doing to help support companies that are victims of ransomware?
Bissell: The Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued guidance to industry earlier this year on different but related issues around gathering threat intelligence (including purchasing data) on the dark web.
It reinforced certain restrictions – e.g. not accessing forums in unauthorized manner, being careful about what information you provide on forums, not purchasing a third party’s data
The government has really stepped up its game in encouraging public/private cooperation and that needs to continue but to quote General Michael Hayden, “The Cavalry Ain’t Coming”.
Companies must implement security from the boardroom to the computer room. They must have good plan in place. It encouraged certain actions to minimize risks – e.g. rules of engagement outlining acceptable conduct, building relationships/trusted lines of comms with law enforcement, documenting plans, implementing risk-based compliance programs (related to potential sanctions prohibitions.)
Get more expert perspectives on the ransomware conundrum and what the OFAC advisory means for businesses that fall victim to ransomware in The Cipher Brief
Read more expert-driven national security perspective and analysis in The Cipher Brief