Malware - Ransomware

US Government Cracks Down on Businesses That Make Ransomware Payments

Adrien Gendre

December 03, 2020

14 min

Ransomware Payments

While businesses might be tempted to make ransomware payments to put a quick end to the nightmare of a ransomware attack, it’s one of the most dangerous decisions a business can make. Paying a ransom is no guarantee that a business will recover their data, and thanks to new regulations, it can create legal culpability as well.

October OFAC advisory on ransomware payments

According to a report by U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), businesses can now be held legally responsible if they submit a ransomware payment to a hacker who is affiliated with a group on OFAC’s list of sanctioned organizations.

Notable organizations on the list include:

  • Russia-based EvilCorp, developers of Dridex malware
  • Lazarus Group, the Korea-backed organization behind the 2017 WannaCry attack
  • Bluenoroff and Andariel, also linked to WannaCry
  • Evgeniy Mikhailovich Bogachev, Russian developer of CryptoLocker

An October advisory sent by OFAC warned businesses that cooperating with sanctioned individuals and organizations risks violating OFAC regulations. According to the advisory, “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

Cyber insurance firms and digital forensics and incident response companies are the most common types of business that assist victims of ransomware attacks. Even financial companies, including depository and money services, can face civil penalties, including monetary. Additionally, according to OFAC, financial firms should also consider their regulatory obligations with regard to the Financial Crimes Enforcement Network.

Global ransomware surge has businesses scrambling for help

Ransomware attacks have been steadily increasing since 2017. In 2020 alone, government, educational, and healthcare organizations lost $144 million to ransomware, with 966 attacks reported in those industries. Each of these industries were critical in 2020 due to the COVID-19 pandemic, making them particularly interesting to hackers and vulnerable to attack.

As a result of increasing attacks, cyber insurance claims have also increased. In Europe, the Middle East, and Africa, ransomware attacks represented half of all cyber claims, up from 13 percent in 2016. According to the Cyber Insurance Claims Report by Coalition, ransomware accounted for 41 percent of cyber claims in 2020.

Historically, most ransomware hackers demanded a ransomware payment in return for encrypted data. Today, we’re seeing more creative measures being deployed, including threats to publish a victim’s stolen data and expose the personal data of a victim’s customers and clients.

What has also changed is ransomware targets. SMBs, once considered less desirable than enterprises with big profits, are becoming popular targets for attacks. Additionally, the MSPs they rely on to keep their IT systems running are also being targeted in increasing numbers.

According to Datto’s 2020 Global State of the Channel Ransomware Report, 60 percent of MSPs reported ransomware attacks against their SMB clients in 2020. Eleven percent reported that their clients experienced multiple attacks in a single day. European MSPs reported more ransomware attacks against clients than any other region—85 percent. The US came in second, with 77 percent of MSPs reporting attacks.

Phishing emails were the #1 cause of ransomware attacks reported by MSPs, according to Datto. Poor user practices and lack of cybersecurity training represented 27 percent and 26 percent of attacks respectively. The average ransom, according to MSPs, was $5,600 in 2020, down slightly from 2019. The cost of downtime, however, increased exponentially from $141,000 in 2019 to $274,000 in 2020.

Paying a ransom comes with risks

Whether a cybercriminal or organization is sanctioned or not, paying a ransom comes with serious risk. According to the FBI, many businesses that make ransomware payments do not regain access to their data. In some cases, even when cybercriminals agree, their decryption tools are unreliable and sometimes even useless.

Additionally and perhaps most importantly, paying a ransom emboldens cybercriminals to both target new businesses and retarget businesses that have already been victimized. The more successful an attack, the more likely the attacker is to return for more. If you’ve been a victim of an attack, you’re encouraged to report it immediately. Below are just a few helpful resources:

  • This list from Europol will direct you to the proper cybercrime authorities in your country.
  • In the US, you can contact the FBI’s Internet Crime Complaint Center and also your local authorities.
  • See MITRE for a comprehensive list of active cybercrime organizations.

Download our free ransomware white paper