Earlier this month, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory, reminding businesses that if they pay ransom to cyber hackers, they could be violating OFAC regulations. At first glance, it puts businesses that are already in an incredibly difficult situation, in an even harder one.
Since businesses often aren’t certain what entities may be behind ransomware attacks, the advisory is a potent reminder that the act of paying ransom - which many businesses are doing these days, even if they have back-up systems in place (due to the time it could take to restore their systems) – puts them at risk of paying sanctioned entities and exposing themselves to potential fines by the U.S. Government.
How Did We Get Here: The Year of Ransomware
“Until seven or eight years ago, it wasn’t much of a problem because we didn’t have untraceable payment systems,” former CrowdStrike CTO Dmitri Alperovitch told The Cipher Brief in a recent expert briefing.
Dmitri Alperovitch, Co-Founder, Crowdstrike, Executive Chairman at Silverado Policy Accelerator
In previous attacks before the emergence of Bitcoin and other cryptocurrencies, attackers would have to provide bank account numbers for someone to wire the ransom money. As you can imagine, this made it easy for law enforcement to figure out who owns the bank account and arrest the perpetrator. As a result, ransom wasn’t really a problem for the first 20 years, but as soon as Bitcoin appeared on the scene, there was a perfect way to collect payments, including huge ransom payments, anonymously, almost untraceably.
“2020 is the year of ransomware,” FireEye CEO Kevin Mandia told attendees of a recent Cipher Briefing.
Kevin Mandia, CEO & Board Director, FireEye
Ransomware is far more complex than it was when we first started responding to it back in 2016. For the first time ever, we’re seeing a separation of duty with different groups conducting these attacks. One group will break into a company and another will come in and extort with ransomware. They’ll encrypt a company’s drive and interrupt business so they can’t function.
“ I thought the Solarium Commission made an excellent point that the companies that are coming under attack are very critical to our national security, but they’re outside the purview of the U.S. government,” says Cipher Brief Expert Leslie Ireland, who is former Assistant Secretary of the Treasury for Intelligence and Analysis. “Our national security is dependent on the ability of these companies to protect and defend their networks. “
Which is likely the reason behind the Treasury Department advisory reminding companies that paying ransom can run you into potential sanctions violations, and the government is paying attention. The Cipher Brief wants to know, with an increase in the number of ransomware attacks in 2020, where does this leave businesses?
Background:
Some of the most prominent ransomware attacks of 2020:
- Tyler Technologies (September 23, 2020): One of the largest solution providers to state, local, and federal governments in the U.S. was targeted with RansomExx ransomware. The company reportedly paid an undisclosed amount of ransom to recover its systems.
- Westech International (June 3, 2020): The Northrop Grumman subcontractor, providing support for the Minuteman III land-based ICBM, was attacked by a group likely with ties to Russian intelligence. The stolen data could “be of interest to other nation states.” It is unclear whether ransom was paid to recover the data.
- Conduent (May 29, 2020): The Fortune-100 IT solution provider was attacked by the MAZE ransomware syndicate likely operating out of Russia. The criminals published the stolen data to prove the breach. No ransom was paid to recover the system.
- Grubman Shire Meiselas & Sacks (May 2020): The REvil ransomware group hacked the entertainment law firm’s computer systems, stealing 756 gigabytes of private documents of the firm’s celebrity clients. The REvil claimed it received a ransom of $365,000.
- Cognizant (April 9, 2020): The multinational technology solutions corporation was attacked by the MAZE ransomware group, which disabled Cognizant’s internal systems. The company declined to pay ransom, facing up to $70mln in recovery costs.
- Visser Precision (February 2020): The supplier to major defense contractors was attacked using Doppel Paymer ransomware. After the company declined to pay ransom, confidential documents of Space X, Boeing, and Lockheed Martin were published online.
- Communications & Power Industries (CPI) (January 2020): CPI’s computer systems were attacked by file-encrypted malware. One system belonged to Aegis, a naval weapons system developed by Lockheed Martin. CPI paid a ransom of about $500,000.
Local governments and health facilities targeted by ransomware in 2020:
- Fairfax County Public Schools (FCPS) (September 2020): The FCPS was targeted in a ransomware attack claimed by the MAZE ransomware syndicate. The investigation is still in progress.
- Universal Health Services (September 2020): A hospital and healthcare network with more than 400 facilities had its digital networks taken down in several locations in the US.
- Tillamook County, Ore (January 22, 2020): The county was attacked by the REvil ransomware group, which encrypted the county’s internal computer systems, website, and email network. The county paid a ransom of $300,000 to recover its systems.
- University of California San Francisco (UCSF) (June 1, 2020): A malware encrypted some servers within UCSF’s School of Medicine. UCSF reportedly agreed to pay a ransom of $1.14 million to have its systems recovered.
- La Salle County, Ill (February 23, 2020): a ransomware attack infected the county’s systems, taking down email accounts and limiting access to documents. The county declined to pay the ransom. The total cost of recovery could be about $500,000.
- Florence, Ala (May 6, 2020): The DopplePaymer ransomware group shut down the city’s email system. The county reportedly paid a ransom of $291,000 in Bitcoin to have the system restored.
- San Miguel County, NM. (February 6, 2020): A ransomware attack locked San Miguel County out of its computer network and compromised its backup system. The county reportedly paid $250,000 in Bitcoin to have its systems unlocked.
The Cipher Brief spoke with a number of our cyber experts to get a broader understanding of how the OFAC Advisory is being interpreted and what it could mean for small and midsize companies and organizations.
The Cipher Brief: What is your biggest concern if the U.S. government imposes sanctions on companies that find themselves in a position of paying ransom to hackers?
Leslie Ireland, Former Assistant Secretary of the Treasury for Intelligence and Analysis
Former Assistant Secretary of the Treasury for Intelligence and Analysis
My biggest concern is that this will be difficult for the small to medium-sized companies that get hit by a ransomware attack. They probably don’t have the resources that a large company has to thwart such an attack or prepare for such an attack. They also may not have the kinds of relationships that a large company has with a regulator.
Michael Leiter, Partner at Skadden, Arps, Slate, Meagher & Flom
If the USG does decide to impose sanctions on companies that fall under this advisory, they will be punishing the victim. Whether the USG likes it or not, paying ransom is often cheaper, faster, and less disruptive than recovering full networks. It doesn't guarantee success and it may encourage bad actors but putting the weight of all of society on a single victim is quite worrisome.
John Carlin, Fmr. Assistant Attorney General for National Security, Chair, Morrison & Foerster’s Global Risk and Crisis Management practice
I think it’s good that there was guidance put out. There have been a lot of questions and confusion around this. Companies want to do the right thing and getting clarity on what steps they’re supposed to take is a positive. In terms of enforcement, it’s a strict liability regime, but I hope the guidance is consistent with the goal to not re-victimize victims: If you follow the guidance and cooperate fully and openly with law enforcement early in an investigation and seek to use a vendor to make a payment, we’re not going to spend our time going after you, a victim who has followed the correct steps.
Randy Sabett, Special Counsel, Cyber/Data/Privacy Practice, Cooley LLP
Coming up with a definitive position on whether a given threat actor is subject to the OFAC requirements is not an easy process. These threat actors endeavor to maintain an untraceable/anonymous existence. As a result, if the USG decides to impose sanctions, companies could face an even lengthier and difficult decision process on whether or how to engage with the threat actor (or an entity brought in to negotiate with the threat actor) in a given incident.
The Cipher Brief: Does the threat of potential sanctions create an additional hardship for companies that find themselves victims of ransomware?
Kelly Bissell, Global Managing Director, Accenture Security
The advisory and sanctions regime target both victims and facilitators of payments such as the company, law firms, cybersecurity insurance providers, financial facilitators, and cybersecurity firms. Those facilitators may be in riskier situations because they could be making many payments and possibly paying the same actor multiple times. Government sanctions against ransom facilitators are also likely to have more of a deterrent effect. The advisory gives some important advice: Develop a compliance plan and build relationships with law enforcement.
Rick Ledgett, Former Deputy Director, National Security Agency
I would expect that the USG will not impose sanctions except in those cases in which the ransomed company has ignored the two glaring mitigating factors in the document. The document says "...OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome." In those cases, in which the company acts without being transparent, they should expect to be sanctioned. This is an excellent way to improve the ability of law enforcement to gain access to up-to-date information.
The Cipher Brief: Will this force companies and boards to adjust their strategies for dealing with cyberattacks like these?
Michael Leiter, Partner at Skadden, Arps, Slate, Meagher & Flom
Probably less than the USG imagines. The fact is it is so easy to change persona online that this will likely turn into a USG sanctions whack-a-mole. So, it may hurt companies’ ability to deal with ransomware, but mostly when attackers are slow and sluggish.
Leslie Ireland, Former Assistant Secretary of the Treasury for Intelligence and Analysis
Former Assistant Secretary of the Treasury for Intelligence and Analysis
Companies need to remain vigilant about understanding current threats and how they are evolving. With so many employees still at home, CISOs and their teams need to regularly update employees about these evolving threats. They also need to ensure employees continue proper cyber-hygiene, which may degrade as employees face greater distractions working from home.
Looking Ahead: What should we be focused on?
Randy Sabett, Special Counsel, Cyber/Data/Privacy Practice, Cooley LLP
I think the question of whether companies will continue to pay ransoms in spite of the guidance would be interesting to explore. If a company is facing a significantly or completely encrypted network with sensitive information on it, they might be tempted to pay despite the advisory.
Rick Ledgett, Former Deputy Director, National Security Agency
The government's efforts to identify the sources of ransomware are important and should continue. Without knowing the source of ransomware, it's impossible for a hacked entity to apply the guidance. There will likely be a large number of requests made to government for information and attribution on ransomware attacks, which will put pressure on the intelligence community and on DHS. I actually think that's OK, as beginning at the end of last year, ransomware has become a national security threat due to its prevalence in state and local governments.
John Carlin, Fmr. Assistant Attorney General for National Security, Chair, Morrison & Foerster’s Global Risk and Crisis Management practice
We need to see improvement on information sharing. We should also consider providing free assessments and working to make sure that there isn’t increased liability for getting an assessment. We’ve already done that with physical site security. We could also outsource solutions for smaller companies and incentivize the use of that solution. We can also encourage people to get insurance. These are all possible solutions that deserve additional thought.
Michael Leiter, Partner, Skadden, Arps, Slate, Meagher & Flom
We need to find new ways to facilitate international collaboration on cybercrime. This is critical and we need to re-invigorate deterrence, which is basically dead in this context. Sanctions won't do that.
Kelly Bissell, Global Managing Director, Accenture Security
The government has really stepped up its game in encouraging public/private cooperation and that needs to continue but to quote General Michael Hayden, “The Cyber Cavalry Ain’t Coming”. Companies must implement security from the boardroom to the computer room. They must have good plan in place.<
The Cipher Brief Research Unit:
Top-5 ransomware threats:
- MAZE
- The MAZE ransomware, previously known “ChaCha ransomware,” was likely created in Russia and was first discovered on May 29, 2019.
- This ransomware steals a user’s personal data, encrypts it, and then threatens to publish it.
- The main forms of distribution are malspam campaigns that weaponize attachments; the most popular are Word and Excel files.
- This ransomware can lead to a complete loss of files, as it deletes shadowcopies and decrypting stolen files might not work.
- Ryuk
- Originated in August 2018.
- Ryuk is most likely the creation of Russian financially motivated cyber gang called Grim Spider, a subdivision of a larger cybercriminal operation Wizard Spider responsible for creating the TrickBot banking trojan.
- Multiple Ryuk ransomware victims were first infected with the TrickBot malware before the ransomware was deployed on their systems.
- REvil
- Also known as Sodinokibi or Sodin ransomware
- Very recently developed (May 2020)
- Is connected to the now defunct GandCrab ransomware
- Is ransomware as a service (RaaS), which means that it is sold by underground vendors to threat actors by providing them with a ransomware platform
- Like GandCrab, the Sodinokibi ransomware follows an affiliate revenue system, which allows other cybercriminals to spread it through several vectors
- Infection vectors include
- Active exploitation of a vulnerability in Oracle WebLogic
- Malicious spam/phishing campaigns using weaponized attachments
- Malvertising, or criminally controlled adverts meant to infect and spread malware to/among unsuspecting users
- Dharma
- Also known as CrySIS
- Is a family of ransomware that has been evolving since at least 2016
- Methods of entry focus around weaponized file attachments and double file extensions, which have a hidden program that will run after the intended program is downloaded
- Most of the attacks are manually delivered in attacks that exploit weak or leaked Remote Desktop Credentials (RDP) which allows a user to remotely control another computer or other computers through a shared network connection
- This means that Dharma attacks are limited by the speed and efficiency of a human operator, as well as access to RDP credentials
- DoppelPaymer
- Also known as Doppel Spider, the DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim's stolen files if they do not pay a ransom demand.
- DoppelPaymer was likely created in Russia in 2019.
- The ransomware was used in the attacks against the NASA contractor Digital Management Inc. (DMI), the supplier to defense contractors Visser Precision, and the security staffing firm Allied Universal - all in 2020.
We will continue to bring you more detailed expert perspective on the ransomware issue all week in The Cipher Brief. Read more of our interview with Leslie Ireland in What Does Paying Ransom Mean for Business exclusively in The Cipher Brief.
Cipher Brief Interns Vladimir Semizhonov and Brandon Nguyen contributed research for this report.
Read more expert-driven national security insight, analysis and perspective in The Cipher Brief
