Ransomware Notice from the U.S. Treasury Department
An announcement from the U.S. federal government has sparked a serious debate in the cybersecurity industry. The Treasury Department’s Office of Foreign Assets Control (OFAC) [1] recently released a controversial advisory warning that organizations could be penalized for paying ransomware fines if the cybercriminals they pay have been economically sanctioned by the Treasury.
The advisory states that “companies who facilitate ransomware payments to cyber actors on behalf of victims not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” The backdrop to this announcement is an increasing number of ransomware attacks on businesses across the country, estimated to cost more than $20 Billion in 2020.
OFAC Cracks Down On Cybercriminals - And Their Victims
Victims of ransomware attacks and organizations that facilitate ransomware payments on behalf of the victims can now face severe legal repercussions and fines of up to 20 million dollars.
Law enforcement agencies have been discouraging victims from paying ransoms on the basis that it encourages the perpetrators to continue attacking others. However, the economics of ransomware currently favors paying the ransom rather than paying the higher cost of recovery and remediation.
In many cases, paying a ransom is the fastest way to restore a business's operations. Another problem is that insurance companies with cyber liability policies and provisions often encourage ransom payments to avoid paying the higher cost of coverage for disruption.
The controversial element of this advisory is that a business that pays a ransom to a sanctioned cybercriminal can be fined even if they do not know that the attacker is on the sanctions list. OFAC will impose financial penalties based on ‘strict liability’. [2]
Treasury observers will note that this strict liability policy is not a new one. It should be viewed as a warning to businesses who have fallen victim to ransomware and did not notify law enforcement or regulatory authorities of the attack.
Businesses who are in the business of helping ransomware victims negotiate and pay ransoms are already aware of the risk of OFAC legal action and financial penalties. Increasingly, they are refusing to help customers who have been attacked by specific ransomware strains attributed to sanctioned groups.
Guidance from the OFAC states that a businesses’ awareness of the issue will be considered when issuing financial penalties. If a business initiates a report of the attack with law enforcement, that too will be a significant factor in determining the severity of their financial penalty.
Analysis Summary
“Victims of ransomware may find themselves between a rock in and a hard place. If they don't pay the ransom, it could mean the end of their business, and if they do pay the ransom, they could face severe civil penalties.” - Jason Allen, CTO at Digital Hands
This conundrum is a major problem for businesses that want to quickly resume normal business operations, especially if they don't have a robust disaster recovery plan, including the ability to restore data from backups. Without the ability to restore data, recovery from a ransomware attack is often difficult and sometimes impossible unless companies take a gamble and pay the ransom. While regulations can change ransomware economics, disallowing ransom payments can be disastrous for businesses that fall victim to severe attacks.
The Coase Theorem [3] applies to the economic case of paying a ransom versus not paying one. When there is a conflict of property rights, those involved in the conflict can negotiate terms that will accurately reflect the full costs and underlying value of the property rights involved in the conflict. The theorem posits that negotiation is optimal regardless of who had rights to the property before the conflict began.
In layman's terms, this means ransomware negotiations inevitably arrive at a point where it becomes significantly less expensive to pay the ransom than it would be to not pay and attempt to recover without the attackers decrypting files - if it’s even possible.
When you factor in the knowledge that the vast majority of ransomware attackers do work with their victims to quickly decrypt data and help them recover once a ransom is paid, it makes paying ransoms even more attractive than doing things the hard way.
Of course, these economics are appalling to law enforcement. They insist that ransoms should never be paid because it encourages cybercriminals to use the same technique against other businesses. Law enforcement also argues that once they are paid, attackers may have no intention of decrypting data and deleting copies from their own servers.
While this argument does hold some water, it goes against the interests of ransomware gangs who are serious about the business they are in. If groups took the money and ran, ransom payouts would plummet and their criminal enterprises would crash.
As it stands, paying out a ransom to attackers is the most cost-effective way of recovering operations and data and getting a business back to normal.
In that context, the OFAC advisory is an attempt by the federal government to introduce a negative externality [4] on businesses who are likely to pay ransoms. That is to say, they are trying to impose a ‘tax’ of sorts to distort the Coase Theorem. Make it more expensive to pay a ransom, and they can distort the economics currently making it more cost-effective to pay attackers.
Some states are considering laws making it illegal for businesses and government agencies to pay ransoms. Their reasoning is if businesses are unable to pay a ransom because it’s illegal, attacks will become a lot less lucrative to the gangs behind them, reducing the number of attacks on businesses overall.
Right now, much of this seems like wishful thinking. We can expect to see many more ransomware attacks before negative externalities kick in and begin to limit them.
If you have questions or need a competent partner to help you make the right moves with your cybersecurity, get in touch with Digital Hands today at (855) 511-5114 or info@digitalhands.com.
References:
1) https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
2) https://www.justia.com/injury/negligence-theory/strict-liability/