John Pescatore - SANS Director of Emerging Security Trends
If You Have to “Know Your Customer,” You Also Have to Know Who You Are Considering Paying Ransomware Extortion
This week’s Drilldown will focus on one item (included below) from NewsBites Issue 78, commenting on an advisory by the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) reminding businesses that they can receive fines and other sanctions if they make any payments, including ransomware payments, to organizations.
The OFAC sanctions are not new, and OFAC, as early as December, placed one of the developers of the CryptoLocker ransomware on the sanctions list. The current OFAC sanctions list shows five individuals on the “Specially Designated Nationals and Blocked Persons” list. You can search that list here; enter program code CYBER2 for ransomware-related information. Note: The list can change at any time.
The decision whether to pay off ransomware is a complex business decision. In Q1 2021, SANS instructor Ben Wright and I will be doing a SANS research paper on the topic, including how cyber insurance factors into the decision to support informed decision making.
However, it is critical to emphasize what the Treasury advisory says: "...OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," and points to a May 2019 compliance framework requiring demonstration of (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training."
Those five areas are well known under a variety of terms, but I’m going to call it essential security hygiene. No one does a risk decision before deciding to eat mayonnaise that has been out in the sun for a week in the summer, or does a weather trade-off before putting on clothes before going outside in the winter or before selling bags of glass as snacks to customers. These are essential hygiene rules where we just don’t do that because we know the risk is never, ever worth taking.
The Center for Internet Security (CIS) lists a subset of the Critical Security Controls called Implementation Group 1 (IG1), which consists of 26 of the 171 subcontrols. About 10 of those 26 IG1 subcontrols represent essential security hygiene that would mitigate most ransomware attacks. Those essential hygiene processes are not always organizationally easy, but they are rarely prohibitively expensive.
Bottom line: Prevention of the vast majority of ransomware will always end up costing less than incurring or paying off successful attacks.
US Treasury Advisory: Sanction Risks for Paying Ransomware Operators
(October 1, 2020)
According to a recent advisory from the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC), organizations that pay ransomware demands to certain groups could be fined if the recipients of the payments are under economic sanctions. The rule applies not only to the organizations that suffer the attacks, but also to the third-party companies they bring in to help manage the problem.
[Paller] This is a very big deal. It can give you the justification at the most senior levels of your organization to implement the CIS Critical Security Controls this year.
[Neely] OFAC rules and consequences around foreign transactions to sanctioned entities can be substantial. Develop a risk-based approach to support the payment decision now, as John enumerates, before it is needed, including consideration of sensitive data being released. Additionally, include reporting and cooperation with law enforcement in your response plan, because this can mitigate the weight of any OFAC enforcement outcome.
[Pescatore] This is consistent with the FBI's updated guidance on dealing with ransomware, which came out in October 2019: "... the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement." The reminder that payments to sanctioned entities may incur fines was added here.
However, the Treasury advisory still says, "...OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," and points to a May 2019 compliance framework requiring demonstration of (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training--essentially, security hygiene.
[Murray] Ransomware attacks must be resisted, not merely mitigated. They constitute a risk that must be reduced, not simply assigned to underwriters.
Read more in:
KrebsOnSecurity: Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam
Ars Technica: Paying ransomware demands could land you in hot water with the feds
Bleeping Computer: US govt warns of sanction risks for facilitating ransomware payments
Dark Reading: US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers
Security Week: Treasury Department Warns Ransomware Payment Facilitators of Legal Implications
Cyberscoop: Helping to pay off ransomware hackers could draw big penalties from the feds
Treasury: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (PDF)