It was bound to happen. And this week, it finally did.
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the legal concerns around payments made for ransomware attacks.
Coincidentally, our own infamous Director of Threat Research, Paul Scott, published a Weekly Threat Report regarding the continued growth and damage from ransomware against SMBs, enterprises, and governments on the same day.
This advisory is big news. Most of us in the security space understand that paying a ransom to bad actors provides further motivation for malicious activity. However, each organization and attack are different, and sometimes paying that ransom is the best of a couple bad options.
We aren’t here to judge why. The fact is that ransomware payments continue to grow, the number and scale of attacks continue to grow, and inevitably, the efforts of bad actors will continue to grow as well.
Now, the U.S. Treasury has stepped in to declare that ransomware payments can be a threat to national security. Federal sanctions against foreign governments and groups aren’t something to be taken lightly, and their strict guidance has come to tell us that “facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.”
In case you’re wondering what that means, we asked our super nerdy (even for us) ex-banker CISO, Wes Spencer, to translate that financial speak for us. He said, “Basically, the U.S. Treasury is putting a line in the sand. It’s always been illegal to pay off a criminal, let alone ransomware actors, many of which operate in OFAC sanctioned countries. But now, the Treasury is getting serious. We bankers have always said, ‘don’t cross the OFAC list,’ but now I think they’re really putting some force behind the law.”
The usual method of payment is a cryptocurrency that gets bounced around and becomes intentionally difficult to trace. While those payments are usually hard to track, they aren’t always. And in any case, they’re certainly not going towards a good cause.
What does all of this mean for businesses and operators in the security space? For one, that paying a ransom is no longer a viable option under any circumstance. Unless the threat actors identify themselves and provide undeniable proof that they aren’t from a sanctioned group or government, the potential threat to national security and corresponding involvement of the OFAC cannot be dismissed.
The OFAC and Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) have established that “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.” Significant resources are available and should be utilized. We strongly recommend reviewing the full advisory linked below and CISA’s ransomware guide.
Perch Security combats ransomware attempts daily. The threats are very real, constant, and ever-expanding. Layered security, quick detection, and timely remediation are the best defense against malicious actors. Please reach out if you have questions about how Perch can help prevent ransomware attacks against your organization. We urge everyone to seriously consider this guidance from the OFAC and update their plans for a potential ransomware incident.
CISA Ransomware Guide
Perch Threat Report