Cyber extortion used to be simple; horrible, but not complex. Threat actors infected a computer system with ransomware that encrypted an organization’s digital assets. The victim then either restored from backups or paid the ransom, which typically was a small amount. The threat actors often were small-time cyber criminals.
Today things are very different. Ransomware, and the cyber criminals are far more sophisticated. Ransom amounts have grown exponentially with organizations seeing demands of a million dollars and above. Rather than simply encrypting data, several ransomware variants now also take data. In some cases, the victim pays a ransom to obtain a decryption key and a separate ransom to ensure that the stolen data is irretrievably deleted.
The U.S. Department of the Treasury has taken note of the changed cyber extortion environment and is paying particular attention to the identity of the threat actors. The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) prohibit U.S. persons from dealing with persons and entities from places under embargos (e.g., Cuba, the Crimea region of Ukraine, North Korea, Iran, and Syria) and those on the Specially Designated Nationals and Blocked Persons List (SDN) maintained by Treasury’s Office of Foreign Assets Control (OFAC). A number of criminals behind significant pieces of ransomware are on the SDN list. These include the criminals responsible for Cryptolocker, SamSam, WannaCry, Dridex, and depending on its correct attribution, WastedLocker.
Cyber criminals have been on the OFAC SDN list and ransom demands have emanated from embargoed locations for years. Nevertheless, ransoms have been paid by or on behalf of U.S. organizations. However, OFAC has now firmly stated that paying such ransoms can subject a party to liability.
The OFAC advisory
On October 1, 2020 OFAC issued its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The Advisory is grounded in the potential for ransom payments to fund activities that impact U.S. national security interests. While the Advisory lacks the force of law, it is strong guidance about what OFAC considers to be prohibited, the parties who may be held responsible, and the factors that will affect enforcement decisions.
OFAC advises that civil liability under the IEEPA and TWEA extends to U.S. persons who engage in prohibited transactions, US persons who facilitate such transactions by U.S. and non-US parties, and to parties “subject to U.S. jurisdiction,” which conceivably could include non-US parties. OFAC notes that liability exists regardless of whether the violator knows or has reason to know that the transaction is prohibited. While the Advisory does not mention criminal liability, OFAC’s Economic Sanctions Enforcement Guidelines state that criminal referrals will be made when appropriate.
A party seeking to pay a ransom to a sanctioned party must apply for a license to do so. Applications for licenses are reviewed on a “case-by-case basis with a presumption of denial.” The Advisory does not provide guidance about what circumstances will support issuing a license. Lockton is aware of anecdotal information that OFAC has refused to issue a license for the WastedLocker ransomware. Obtaining a license will be difficult as a practical matter because it is unlikely that cyber criminals will be content to wait for a license decision before receiving payment.
The Advisory helpfully identifies key factors that will affect whether, and to what extent, civil penalties are assessed against a violator. These factors include:
The existence, nature, and adequacy of a sanctions compliance program
OFAC encourages companies to have risk-based sanctions compliance programs. The hallmarks of such a program are: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
Timely and complete self-reporting of a ransomware attack to law enforcement
Full and timely cooperation with law enforcement
The OFAC Advisory is likely to have a significant effect on how ransomware attacks are handled. Determining the identity of the attacker is now extremely important. If the attacker is a sanctioned party, then it will be legally impossible for the victim to pay any ransom without a license. At this time, it is unclear what will happen if the origin and attribution of a piece of ransomware is disputed.
It is more likely now that financial institutions and others involved in paying ransoms will disclose ransomware activities to the federal government. A separate October 1, 2020 advisory issued by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), warns companies involved in facilitating ransom payments, including some digital forensics incident response firms and potentially cyber insurers, that they have an obligation to file suspicious activity reports. The FinCEN Advisory lists a number of red flag indicators of ransom payments.
Cyber insurance ramifications of the advisories
The OFAC and FinCEN advisories will have a significant effect on cyber insurance coverage for ransomware events. Many cyber insurers have been waiting for OFAC’s response to the recent WastedLocker attacks before deciding how to respond to ransomware launched by sanctioned entities. Now, it is difficult to imagine that any cyber insurer will agree to pay a ransom to a sanctioned party on behalf of a U.S. insured without a license from OFAC. The same would be true of ransom payments under Kidnap & Ransom and other policies.
Lockton does not expect the OFAC and FinCEN Advisories to affect the availability of insurance for ransoms paid by U.S. companies to criminals that are not subject to U.S. sanctions.
It remains to be seen whether cyber insurers will cover the legal costs to apply for a license to pay a ransom. Some cyber insurers have told us that they will cover such costs. Others have said the costs are the insured’s responsibility.
Ransomware creates losses that go beyond the ransom payment. Those include forensic analysis expenses, income loss due to business interruption, and legal fees. Although Lockton believes insurers should, and will, pay such losses associated with ransomware launched by a sanctioned entity, some insurers, acting out of an abundance of caution, have not.
It is not yet clear whether the OFAC and FinCEN Advisories will impact the availability of cyber extortion insurance. Cyber insurers have been hit with significant ransomware losses in 2020. Some are reevaluating whether, and how, coverage can be profitably underwritten going forward. While insurers will not be paying ransoms to criminals in embargoed locations or on the OFAC SDN list, we anticipate that cyber insurers may nevertheless increase premiums and retentions, and potentially sublimit extortion coverage.
Managing the ransomware risk is now essential
Faced with the real possibility that large ransoms will no longer be payable by insurers, organizations must respond by mitigating the likelihood of a successful ransomware attack and improving their cyber resiliency. Failure to do so could destroy some organizations.
Each organization’s cyber security needs are different, and every organization is at a different point in its cyber security journey. There are a number of things that all organizations can do to better prepare themselves to avoid or mitigate ransomware attacks:
Be conscientious about backing up systems
This may seem elementary, but the lack of reliable backups frequently motivates organizations to pay a ransom. Backups must be performed regularly and tested. Organizations should ensure that they can restore from backups quickly, and that the backups cannot be infected by the ransomware. Offline backups that are updated and tested frequently is a best practice.
Adopt strong patch management practices
It is essential that organizations consistently patch firmware, operating systems, and other software on their computer systems to ensure that newly discovered vulnerabilities are eliminated before they are exploited by a cyber criminal. Remote Desktop Protocol and Remote Desktop Gateway vulnerabilities are the most common points of weakness today.
Implement multi-factor authentication (MFA)
Requiring two-factor authentication from users would foil all ransomware that uses access to passwords to enter a system. Remote connectivity is critical but even MFA within the network is preferred, especially for employees with access to sensitive information.
Users are the weakest element of any organization’s cyber security defenses. If one user falls for a phishing email, that may be all that is needed for ransomware to enter the computer system. Cyber security training is essential to ensure that the risk posed by human error is minimized. Today’s training options have improved over the traditional click-through modules. Engaging and sometime humorous videos, behavior-based adaptation, and other means have proven to be more effective.
Monitor and filter email and web content
Filtering content will prevent malicious links and software from ever reaching a user.
Monitor network activity
Tools that allow organizations to monitor activity on their networks and endpoints can provide an early warning if a ransomware attack takes place. This may allow the company to detect and remove the ransomware before it is triggered. Use a strong antivirus and email filter provider.
Limit employee network access
Organizations should only give users access to the parts of the network that their work requires. Such a limitation can limit the spread of ransomware.
Building and upgrading cyber security is more necessary now than it was before the OFAC and FinCEN Advisories were issued. The process can be daunting though. Fortunately, help is available. Lockton’s cyber risk control services can help an organization identify and prioritize needs, and then address those needs. Leading cyber security firms have partnered with us to provide necessary services. Further, cyber insurers increasingly provide access to free services to assist organizations navigating these difficult cyber security challenges.
Please contact your Lockton Cyber & Technology Practice Associate for further information and assistance with anything outlined above.
https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists (opens a new window) https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/ (opens a new window) https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf (opens a new window)  https://www.ecfr.gov/cgi-bin/text-idx?ID=f91dc0dfccf133d5f835c31a3ba8910c&mc=true&node=pt31.3.501&rgn=div5#ap31.3.501_1901.a (opens a new window) https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf (opens a new window) https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf (opens a new window)