Ransomware attacks are on the increase, putting the target organizations in the uncomfortable position of having to decide whether or not to pay the demanded ransom. As if that were not tough enough, an October 1, 2020 advisory statement by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) warns that companies paying ransoms under these circumstances may risk violating OFAC regulations and could be subject to penalties. In the following guest post, Bill Boeck takes a look at the OFAC advisory and its implications. Bill is Lockton’s Global Cyber Product and Claims leader and U.S. Financial Lines Claims Practice Leader. A version of this article previously was published as a Lockton client alert. I would like to thank Bill for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Cyber extortion used to be simple; horrible, but not complex. Threat actors infected a computer system with ransomware that encrypted an organization’s digital assets. The victim then either restored from backups or paid the ransom, which typically was a small amount. The threat actors often were small-time cyber criminals.
Today things are very different. Ransomware, and the cyber criminals behind it are far more sophisticated. Ransom amounts have grown exponentially. Seven and eight figure demands are common. Rather than simply encrypting data, a growing number of ransomware variants now also take data. In some cases, the victim pays a ransom to obtain a decryption key and a separate ransom to ensure that the stolen data is irretrievably deleted.
The US Department of the Treasury has taken note of the changed cyber extortion environment and is paying particular attention to the identity of the threat actors. The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) prohibit US persons from dealing with persons and entities from places under embargos (e.g., Cuba, the Crimea region of Ukraine, North Korea, Iran, and Syria) and those on the Specially Designated Nationals and Blocked Persons List (SDN) maintained by Treasury’s Office of Foreign Assets Control (OFAC). A number of criminals behind significant pieces of ransomware are on the SDN list. These include the criminals responsible for Cryptolocker, SamSam, WannaCry, Dridex, and depending on its correct attribution, WastedLocker.
Cyber criminals have been on the OFAC SDN list and ransom demands have emanated from embargoed locations for years. Nevertheless, ransoms have been paid by or on behalf of US organizations. However, OFAC has now firmly stated that paying such ransoms can subject a party to liability.
The OFAC Advisory
On October 1, 2020 OFAC issued its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The Advisory is grounded in the potential for ransom payments to fund activities that impact US national security interests. While the Advisory lacks the force of law, it is strong guidance about what OFAC considers to be prohibited, the parties who may be held responsible, and the factors that will affect enforcement decisions.
OFAC advises that civil liability under the IEEPA and TWEA extends to US persons who engage in prohibited transactions, US persons who facilitate such transactions by US and non-US parties, and to parties “subject to US jurisdiction,” which conceivably could include non-US parties. OFAC notes that liability exists regardless of whether the violator knows or has reason to know that the transaction is prohibited. While the Advisory does not mention criminal liability, OFAC’s Economic Sanctions Enforcement Guidelines state that criminal referrals will be made when appropriate.
A party seeking to pay a ransom to a sanctioned party must apply for a license to do so. Applications for licenses are reviewed on a “case-by-case basis with a presumption of denial.” The Advisory does not provide guidance about what circumstances will support issuing a license. I am aware of anecdotal information that OFAC refused to issue a license for the WastedLocker ransomware. Obtaining a license will be difficult as a practical matter because it is unlikely that cyber criminals will be content to wait for a license decision before receiving payment.
The Advisory helpfully identifies key factors that will affect whether, and to what extent, civil penalties are assessed against a violator. These factors include:
- The existence, nature, and adequacy of a sanctions compliance program
- OFAC encourages companies to have risk-based sanctions compliance programs. The hallmarks of such a program are: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
- Timely and complete self-reporting of a ransomware attack to law enforcement
- Full and timely cooperation with law enforcement
The OFAC Advisory is likely to have a significant effect on how ransomware attacks are handled. Determining the identity of the attacker is now extremely important. If the attacker is a sanctioned party, then it will be legally impossible for the victim to pay any ransom without a license. At this time, it is unclear what will happen if the origin and attribution of a piece of ransomware is disputed.
It is more likely now that financial institutions and others involved in paying ransoms will disclose ransomware activities to the federal government. A separate October 1, 2020 advisory issued by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), warns companies involved in facilitating ransom payments, including some digital forensics incident response firms and potentially cyber insurers, that they have an obligation to file suspicious activity reports. The FinCEN Advisory lists a number of red flag indicators of ransom payments.
Cyber Insurance Ramifications of the Advisories
The OFAC and FinCEN advisories will have a significant effect on cyber insurance coverage for ransomware events. Many cyber insurers have been waiting for OFAC’s response to the recent WastedLocker attacks before deciding how to respond to ransomware launched by sanctioned entities. Now, it is difficult to imagine that any cyber insurer will agree to pay a ransom to a sanctioned party on behalf of a US insured without a license from OFAC. The same would be true of ransom payments under Kidnap & Ransom and other policies.
The OFAC and FinCEN Advisories should not affect the availability of insurance for ransoms paid by US companies to criminals that are not subject to US sanctions.
It remains to be seen whether cyber insurers will cover the legal costs to apply for a license to pay a ransom. Some cyber insurers have told us that they will cover such costs. Others have said the costs are the insured’s responsibility.
Ransomware creates losses that go beyond the ransom payment. Those include forensic analysis expenses, income loss due to business interruption, and legal fees. Although insurers should, and most likely will, pay such losses associated with ransomware launched by a sanctioned entity, some insurers, acting out of an abundance of caution, have not and are still studying the issue.
It is not yet clear whether the OFAC and FinCEN Advisories will impact the availability of cyber extortion insurance. Cyber insurers have been hit with significant ransomware losses in 2020. Some are reevaluating whether, and how, coverage can be profitably underwritten going forward. While insurers will not be paying ransoms to criminals in embargoed locations or on the OFAC SDN list, cyber insurers may nevertheless increase premiums and retentions, impose a coinsurance requirement, and potentially sublimit extortion coverage.
Managing the Ransomware Risk Is Now Essential
Faced with the real possibility that large ransoms will no longer be payable by insurers, organizations must respond by mitigating the likelihood of a successful ransomware attack and improving their cyber resiliency. Failure to do so could destroy some organizations.
Each organization’s cyber security needs are different, and each is at a different point in its cyber security journey. There are a number of things that all organizations can do to better prepare themselves to avoid or mitigate ransomware attacks:
- Train employees
Users are the weakest element of any organization’s cyber security defenses. If one user falls for a phishing email, that may be all that is needed for ransomware to enter the computer system. Cyber security training is essential to ensure that the risk posed by human error is minimized. Today’s training options have improved over the traditional click-through modules. Engaging and sometime humorous videos, behavior-based adaptation, and other means have proven to be more effective.
- Be conscientious about backing up systems
This may seem elementary, but the lack of reliable backups frequently motivates organizations to pay a ransom. Backups must be performed regularly and tested. Organizations should ensure that they can restore from backups quickly, and that the backups cannot be infected by the ransomware. Offline backups that are updated and tested frequently is a best practice.
- Adopt strong patch management practices
It is essential that organizations consistently patch firmware, operating systems, and other software on their computer systems to ensure that newly discovered vulnerabilities are eliminated before they are exploited by a cyber criminal. Remote Desktop Protocol and Remote Desktop Gateway vulnerabilities are the most common points of weakness today.
- Implement multi-factor authentication (MFA)
Requiring two-factor authentication from users would foil all ransomware that uses access to passwords to enter a system. Remote connectivity is critical but even MFA within the network is preferred, especially for employees with access to sensitive information.
- Monitor and filter email and web content
Filtering content will prevent malicious links and software from ever reaching a user.
- Monitor network activity
Tools that allow organizations to monitor activity on their networks and endpoints can provide an early warning if a ransomware attack takes place. This may allow the company to detect and remove the ransomware before it is triggered. Use a strong antivirus and email filter provider.
- Limit employee network access
Organizations should only give users access to the parts of the network that their work requires. Such a limitation can limit the spread of ransomware.
Addressing all of these can be daunting, particularly for small companies with limited IT and cybersecurity budgets. Fortunately, cyber insurers can help. Many insurers provide excellent services to companies to help them identify, manage, and mitigate their cyber risks.
Ramifications for Directors and Officers
The OFAC and FinCEN advisories have obvious implications for corporate directors and officers. Building and upgrading cyber security is more necessary now than it was before the Advisories were issued. A failure to do so could leave a company vulnerable to ransomware and a multimillion-dollar ransom demand it cannot legally pay. Directors and officers that do not ensure that their company is sufficiently resilient under those circumstances are sure to be held accountable by shareholders.