A new study finds that the majority of companies hit with ransomware attacks choose to pay the ransom in hopes of quickly regaining access to their data. However, federal officials warn that those who negotiate with ransomware extortionists may expose themselves to millions of dollars in fines and penalties.
On Oct. 1, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory that warns of potential sanctions associated with ransomware payments. At issue is the fact that many ransomware perpetrators are part of vast international criminal groups.
OFAC is the federal agency that implements and enforces economic sanctions against foreign states, terrorist organizations and other criminal enterprises deemed to be a threat to U.S. national security. It has the authority to impose fines and freeze assets, and can even prohibit companies or individuals from operating in the U.S.
Criminal organizations such as North Korea’s Lazarus Group, Russia’s Evil Corp., and Iran’s APT39, all of which are under sanction by OFAC, are increasingly using ransomware to fund a range of illicit activities. According to the OFAC advisory, anyone engaging in any sort of direct or indirect transactions with these sanctioned groups is subject to harsh penalties under a variety of laws and regulations.
The laws apply not only to companies making payments to cybercrime groups, but also anyone who facilitates payments on behalf of victims. OFAC says this includes financial institutions, cyber insurance firms and companies involved in digital forensics and incident response. Violations could result in fines of up to $20 million — even if you didn’t know you were conducting a transaction with a group on the OFAC sanctions list. However, the OFAC advisory does note that cooperation with law enforcement officials will be a significant mitigating factor in any enforcement action.
The advisory comes at time of record numbers of ransomware attacks. New research from Check Point finds that ransomware attacks in the U.S. have doubled in the past three months, claiming a new victim every 10 seconds! The security firm attributes the surge to the ongoing pandemic, which forced businesses to make a series of hasty operational changes that often created gaps in their IT security systems.
Given the uncertain conditions and the challenges associated with supporting remote operations, most organizations have come to believe that paying the ransom is the simplest way to resolve a ransomware attack. The CyberEdge Group’s annual Cyberthreat Defense Report finds that 58 percent of organizations experiencing ransomware attacks this year paid the ransom.
OFAC says ransom payments provide critical financing for criminal organizations and may even be funding state-sponsored threats. For example, U.S. authorities say evidence suggests North Korea has been using ransomware profits to fund the production of nuclear weapons and other weapons of mass destruction. At the very least, ransom payments likely embolden threat actors to engage in future attacks — it is believed that roughly half of all ransomware victims suffer multiple repeat attacks.
That’s one reason why security experts and law enforcement officials have always advised against paying. Another is that there’s no guarantee you’ll get your data back. In some cases, victims are never provided with decryption keys. In others, flaws in the malware’s encryption algorithms prevent data recovery even with a valid decryption key.
With ransomware attacks reaching record levels, the OFAC advisory serves as a stark warning about the consequences of negotiating with cybercriminals. It should also provide motivation for implementing mitigation strategies. Call Verteks to learn how our ransomware prevention and removal services can help you limit your risk.