Ransomware works because people pay, but the government wants to impede cybercriminal profits by imposing fines. For some, paying an extortion is worth the penalty.
In October, the Treasury Department added sanctions to the risk calculus of paying a ransom. The department's Office of Foreign Assets Control (OFAC) included cyber insurers, digital forensics and incident response into the mix of possible penalty recipients.
The advisory didn't change the law or regulatory landscape. Instead, it put cybersecurity and financial services firms "on notice" and this "is indeed going to be an enforcement priority for the Treasury Department," said Ryan Fayhee, partner at Hughes Hubbard, while speaking on a webinar hosted by The Wall Street Journal and Dow Jones Risk & Compliance Wednesday.
It is not the job of an insurance provider to encourage an organization, post-ransomware attack, to pay the extortion. Instead, insurers provide guidance, and in some cases a monetary cushion if the ransom is paid. All parties involved, including the growing industry of ransom negotiators, have compliance obligations under the Treasury and Justice Department.
But the advisory "created a stir among the various players in the food chain," said Katherine Keefe, managing director at Marsh, while speaking on the webinar. The Treasury "took pains to call out" response and recovery organizations, and in the wake of the advisory, these groups are discussing how to "refresh" their ransomware strategies.
Even with refreshed policies, victimized organizations are balancing the risk and cost of stalled operations and encrypted data, with federal watchdogs ready to act. Response and recovery is never going to be an easy process.
The early stages of responding to a ransomware attack require uncovering the attack's attribution. Identifying the source factors into what threat groups are sanctioned by OFAC.
"This is what puts these third-party firms particularly at risk, in comparison with the victim of the attack, oftentimes, the victim is not going to easily know the source of the attacker," said Fayhee.
Such was the case for WastedLocker ransomware attack against Garmin this summer. The wearables company tapped ransom negotiators Arete IR, and reportedly paid the attackers, which are said to be linked to Russia-based Evil Corp. Evil Corp is one of the sanctioned, Specially Designated Nationals and Blocked Persons (SDN)-listed threat groups, though Arete argued the group wasn't tied to the WastedLocker strain.
This is part of why the advisory raised eyebrows. "It's important to note here that OFAC viewed this on the administrative civil penalty side as a strict liability offense. So in other words, mistakes can, they don't always, but mistakes can result in a fine or penalty," said Fayhee. Third parties, for the most part, are able to piece together attribution better than the victimized organization.
OFAC's advisory was in part an encouragement for organizations to seek law enforcement early on. "The FBI particularly likes to track these situations," said Keefe. It helps enforcement agencies improve their understanding and mitigation calculus.
How quickly an organization involves law enforcement is also a factor in how fines are calculated. Involving law enforcement prior to disclosing a data breach or acting in haste is "sort of captures the most complicated issue in a ransomware attack," said Fayhee. The FBI is very unlikely to, "under any circumstances, approve of payment via to an SDN-listed party." There might be exceptions if paying a ransom could prevent future attacks, but it's highly unlikely.
There will be instances where SDN-listed threat groups know they're listed, and therefore suspect they won't get paid. "They don't want you to know they're on the list," said Fayhee, and therefore blurring their origin even farther; for example, an attacker was hiding behind privacy coins, such as Monero, or Zcash, instead of Bitcoin.
Privacy coins are often used by more sophisticated bad actors, and OFAC includes Monero cryptocurrency as a prohibited transaction. In general, attackers are getting better at breaking connections to hide. "It's almost like a game of whack-a-mole. As soon as something is identified, there's an alteration to the process by the criminals that pulls them further into the shadows," said Keefe.
With unreliable attribution, the DOJ can be forgiving of mistakes and instead prosecute "willful conduct," said Fayhee. Part of the voluntary disclosure process at OFAC gives organizations the opportunity to be upfront in their investigation, response and reasoning behind paying an extortion.
Companies within financial services handling cryptocurrency are covered by the Bank Secrecy Act, which is not voluntary like OFAC. These companies are required to report suspicious activity. "The concept or the idea of keeping this quiet no longer remains," which increases the risk for entities investing in cryptocurrency, said Fayhee. "I know from my interactions with OFAC, it is one of the primary purposes of this advisory."
No time to wait
If a company does get the source of an attack wrong, or if an organization reliant on its uptime decides to pay a ransom, "I fear that in some circumstances that are well-meaning, regulators don't understand the table stakes that are at play here," said Keefe.
Business interruption (BI) accounts for the largest chunk of ransomware-related costs. Allianz found restoration and expenses following an attack was valued similarly to the demand, while "the BI proportion of the loss was four to five times greater."
It will always be the stance of the government to defer extortions, or not to negotiate with a terrorist, but "there are instances where it is truly a risk to the enterprise," to not pay, said Fayhee. "I don't have a solution for that … it really shows why this is one of the most complicated threats."
There's also a difference in what kind of cybercriminals are behind ransomware. Ransomware commercialization and franchise models are causing more attacks, according to Allianz. In 2019, ransomware cost organizations $6.3 billion or more in ransom demands. Ransomware deployments, in the form of ransomware as a service, don't necessarily need technological savvy behind them anymore.
More experienced threat groups, with a business to run (albeit an illegal one) are more likely to "make good on the promise to release a clean decrypting code," whereas less sophisticated actors don't care.
ID Ransomware collected upwards of 100,000 ransomware reports targeting public and private sector organizations. Of those 100,000, more than 11,600 were connected to threat groups known for data exfiltration too.
Ransomware gangs targeting municipalities, school districts or local hospitals are feeding on entities that likely don't have sanctions compliance programs because they don't need to and they don't have the resources for them, according to Fayhee.
The average number of cyber-related insurance claims increased from 119 claims per quarter in 2018 to 257 claims per quarter in 2020, according to a report by Allianz. "External manipulation of systems," including ransomware, contributed to 43% of loss by the number of claims.
The companies without cyber-specific insurance may not realize the regulatory maze they have to walk through in the event of a ransomware attack, according to Keefe. And because of ransomware's ever-evolving sophistication, there are some third parties involved in mitigation that "didn't really have this capability or sell this capability as recently as four or five years ago."
Ransomware-specific firms are "a rather newfound niche service that companies are turning to and rightfully so," said Keefe.