US Govt Takes Hard Line on Victims of Ransomware
US Govt takes Hard Line on Victims of Ransomware that Pay Up
On October 1, 2020 the US Dept of Treasury released an advisory regarding payments to cybercriminals.
“Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments”
Date: October 1, 2020
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”
The entire advisory is available HERE.
While it seems harsh, the truth is paying ransom only encourages continuing criminal activity. It’s a tough pill to swallow but I feel they are on the right track. The treasury has imposed sanctions on many cyber crime groups essentially freezing their assets subject to US Jurisdiction, making it a crime to transact with them.
Other than transferring funds to the cybercriminals, paying ransom or other extortion requests accomplishes nothing.
- Paying does not guarantee that encrypted files can or will be unlocked.
- Does not guarantee future immunity from future attacks
- Does not guarantee trojans or hooks have not been left behind to make you pay again and again.
- It also does not mean that data was not exfiltrated from your systems to be sold on the dark web.
Once your systems have been compromised, the best recourse is to wipe, verify integrity and rebuild from known good back ups. You will need to scrub the data to ensure all remnants of malware have been removed. You will also take a hit with your customer confidence but if handled correctly will not be devastating as long as you were not severely negligent or do not try to hide what happened. Just be as transparent as possible and you will probably be surprised at how forgiving your customers can be.Do not wait to inform customers and accept responsibility for what happened. Playing the blame game only makes you look childish and creates a bad and weak company image. OH yeah, I almost left this little tidbit out. You will also need to verify the integrity of all OS’s on all appliances too. that includes all swritches, modems, routers, firewalls, AP’s and wireless devices.
We all know that being a victim of a ransomware attack is not a good thing, but so many companies have a wrong attitude regarding cybersecurity. Either believing they are too small or they don’t have anything of value is just irresponsible. Most businesses with this sort of attitude are easy prey to the criminals who see things very differently. They view the lack of adequate security measures and training as an open door to a bank account that holds exactly what they want. MONEY! It never fails to surprise me when a company gets breached because of a simple setting somewhere that allows access to data and systems. These companies are usually the ones who take the longest to detect the breach, the longest to admit a breach and generally try to minimize or blame someone else.
Businesses know how important cybersecurity is but for some reason many choose to ignore what they need to do to ensure the privacy of their clients and data. Every state in the US and pretty much every country in the world has data privacy laws. These laws are meant to protect private citizens from careless and possibly negligent security practices or lack there of.
Most business owners know there are laws they need to comply with such as HIPAA and PCI/DSS just to name the two most well known. The attitude about cybersecurity must change from being an added expense with $0 ROI to one that safeguards the viability of the business.
One of the big misunderstandings about cybersecurity is that everything needs to be done all at once. This simply is not the case. In fact, it is a continual process that evolves and matures over time. It is never a one and done activity. You start with a proper assessment to identify weaknesses and develop a plan to remediate them. While that is taking place you are continually reassessing to identify new vulnerabilities which then get prioritized for remediation. Wash, Rinse, Repeat.
In the US, if you follow the NIST (National Institute of Standards and Technology) CyberSecurity Framework, you pretty much can’t go wrong. Health Care Providers and Organizations that are required to follow HIPAA is not really much different than the NIST CSF but there are certain things that require additional consideration in order to be compliant. Other regulations may require slight tweaks but NIST CSF is a great place to start.
One of the biggest problems in the United States is that every state wants to have their specific rules. That means if your business is located in New Your you will have to comply with the New York Shield Act. If you want to do business with individuals in California you will also need to make sure you are following the CCPA rules. As you can imagine if you want to do business in all 50 states you will need to potentially follow 50 different compliance laws.
I personally feel that the “50” need to get together and just adopt NIST CSF. In fact most individual states privacy laws are based on NIST CSF. Another reason that NIST CSF should be adopted nationwide is that several countries including Canada accept NIST CSF compliant US Companies as compliant and allowed to do business with Canadian businesses and citizens.
Bottom line is, a Cybersecurity program is not something that will break the bank but a breach certainly can be. With the cost of the average breach rising to over $1 million it is imperative that companies realize a solid Cybersecurity program is literally money in the bank. The reason I tell you this is because Cyber Insurance policies generally require certain guidelines are adhered to in order to issue payment on a claim. The last thing you want is to find out a claim has been denied because you didn’t protect your systems to the standards they require.
Monitoring systems to ensure regulations and Insurance standards are met is crucial to being able to survive a cyber attack. Having policies in place and enforced as well as ongoing training show your commitment to ensuring the privacy and security of your customers data that you have been entrusted with.
Schedule a free discovery consult to learn about your cybersecurity options.Contact Us