Oct.1st, 2020: The US Treasury Department’s Office of Foreign Assets Control (OFAC) warned organizations that making ransomware payments is illegal. These payments violate US economic sanctions banning the support of terrorists, cybercriminal groups, and state-sponsored hackers. The edict limits how ransomware victims, insurers, and incident responders can recover from these incidents. If they pay the ransom, they may get fined by OFAC. If they don’t pay the ransom and critical data is released online, they may get fined (HIPAA, PCI, privileged legal documents) for breaching confidentiality. It’s a lose-lose situation.

CyberHoot believes this is a necessary clamp-down on ransomware payments which have skyrocketed in 2020 with demand payments going up 6-fold for newer variants of ransomware like MAZE which threaten and do release data online. 

Craig Taylor, co-founder of CyberHoot, believes the treasury made this bold move for two reasons: “the Treasury believes that to stem increasing ransomware attacks, the US must starve hackers of their funding by making these untraceable bitcoin payments illegal and prosecuting those that make payments.  Secondly, the US wants to prevent funding of terrorist organizations through these payments.

This is a controversial position for the Treasury to take. Companies already under extreme stress and pressure to recover from an incident are then threatened with additional fines and even civil penalties! Why is it so bad to make these payments?  The answer lies in who we know is behind many of the attacks:

  • Nation-state groups like North Korea’s state-sponsored Lazarus group, which was linked to the WannaCry attacks;
  • Russian cybercriminal organization called Evil Corp, which is behind the Dridex botnet, WastedLocker, and BitPaymer ransomware programs; and 
  • A myriad of small-time hackers who buy ransomware as a service on the dark web.

The new guidance puts businesses in a tough spot considering many use cyber insurance as a failsafe when ransomware strikes. However, cyber insurance policies have conditions that prevent payments under acts of war (something that is being argued presently for the Solar Winds breach). With this new guidance from the US Treasury, will insurance providers be allowed to make payments? 

Ransomware Prevention

While currently there aren’t many options for those who have fallen victim to a ransomware attack, there are some things you can do to defend against these increasing threats. If you own a business, you should build a robust cybersecurity program that includes the following:

  1. Govern employees with policies and procedures including:
    • a password policy
    • an acceptable use policy
    • an information handling policy, and
    • a written information security program (WISP)
    • a Security Incident Management Process (SIMP)
    • a Vulnerability Alert Management Process (VAMP)
  2. Train and test employees on how to avoid phishing attacks
  3. Deploy vital cybersecurity technologies including
  4. Patch everything, in a “Work-from-Home” era, don’t forget to manage and patch personal devices connecting to company networks and data
  5. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.

Most of these recommendations are built into CyberHoot. With CyberHoot you can govern, train, assess, and test your employees.  To stay on top of current cybersecurity updates you can: