Earlier this month, the US Treasury Department's Office of Foreign Assets Control (OFAC) warned organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers. The advisory has the potential to disrupt the ransomware monetization model, but also puts victims, their insurers and incident response providers in a tough situation where this type of attack could cost much more and take much longer to recover from.
"OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC," the Treasury Department said in the advisory.
Payments keep ransomware alive
Ransomware started as a consumer threat, being an evolution of the older scareware model where users were being tricked by fake popups with false claims to buying bogus security products or to pay fictitious fines. In fact, in the beginning, ransomware programs were not encrypting files, but were simply trying to lock users from using their computers with persistent overlay screens and other techniques.
As competition for victims in the ransomware space increased, some groups started targeting both consumers and businesses indiscriminately, but it wasn't until the WannaCry and NotPetya attacks in 2017 that many cybercriminals realized just how vulnerable corporate networks were. Over the past three years, we've seen sophisticated cybercrime groups pivot to ransomware from other types of financial crimes. They use APT-style techniques such as careful target selection, deep reconnaissance, lateral movement, fileless execution, living off the land and victim-tailored payloads, and they're very successful.
The value of ransom demands has also skyrocketed, varying between hundreds and millions of dollars per victim. Attackers keep pushing the limits of what they can ask and that's partly because cyberinsurance policies often cover the costs of ransomware attacks. Little information is available on how many private companies choose to pay ransoms, because there are no regulatory obligations to report such incidents, but indirect evidence suggests that paying ransomware is common.
This is also reflected in the fact that an increasing number of incident response firms and independent consultants are engaging in ransomware negotiations on behalf of victims, whether they openly advertise such services or not. Some organizations and financial platforms assist with the payment process like converting funds into Bitcoin or other cryptocurrencies and sending them to the attackers.
Last year, ProPublica reported that insurance companies often advise their customers to pay the ransoms because it’s less expensive than rebuilding all systems and recovering from backups, which includes costs associated with prolonged operational downtime. This creates a vicious cycle where the attackers successfully extort money, the insurance companies pay less, incident response providers get contracts, and the victims recover quicker. As a result, ransomware remains a profitable and desirable monetization model for cybercriminals.
"Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims," OFAC said in its advisory. "For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks."
Examples of groups or individuals that have ties with ransomware attacks and are on the Treasury Department's sanctions list include two Iranian nationals linked to the SamSam ransomware; North Korea's state-sponsored Lazarus group, which is known for collaborating with cybercriminals and is linked to the WannaCry attack; and a Russian cybercriminal organization called Evil Corp, which is behind the Dridex botnet and the WastedLocker and BitPaymer ransomware programs.
However, the cybercrime ecosystem is so complex that it's impossible for victims or their security providers to know with certainty that some of the money from a ransom demand don't go to an entity or person or government on the sanctions list. OFAC makes it clear in its advisory that not knowing if the recipient is subject to sanctions does not protect organizations from liability and civil penalties.
Impact on victims, insurers and incident response firms
"I think the real intention of this advisory is to get the incident response industry out of the shadows and operate with more transparency, with cooperation and input from governments, so that governments have more control over the outcome of these incidents," Brett Callow, a threat analyst at anti-malware firm Emsisoft, tells CSO. "In 2018, the average ransom demand was about $5,000. Most of the victims were small businesses. Now the average demand is somewhere in the region of $200,000 and multi-million dollar amounts are increasingly becoming the norm. We're seeing hospitals being targeted, large multinationals, companies operating in the defense industrial base. So, the whole thing has become a lot more serious than it was only a couple of years ago and the government really needs to find a way to intervene in what's happening to stop the situation becoming even worse than it is at the moment."
Emsisoft is one of the security companies that have publicly called for governments to ban ransomware payments, calling them "a risk to national security, to election security, to companies’ intellectual property and financial security, to individuals’ personal information and to their health, safety and wellbeing." Earlier this year, the first ransomware-related fatality was reported in Germany, where a woman with a life-threatening condition was redirected to a hospital 20 miles away because the closest one was unable to receive patients after a ransomware attack. The delay in receiving treatment was cited as the reason for her death.
The OFAC advisory doesn't outright ban ransomware payments, but advises companies who want to engage in such transactions to contact law enforcement first as this will be a "significant mitigating factor" for the enforcement action if it's later determined that a payment was in violation of government sanctions. Organizations can also apply for an OFAC license to make a ransomware payment, and these requests will be reviewed "on a case-by-case basis with a presumption of denial."
The question is what will happen if most of these payment requests are denied and will organizations even risk asking for permission if the result is likely to be them not being able to recover and going out of business?
According to Callow, companies are already going out of business because of ransomware, so the question is whether we want to accept this happening at a higher rate in the short term for the longer benefit of ransomware disappearing. "The question really is whether you want that to happen on a very short-term basis, because ransomware would stop but no one was to pay ransoms, or whether you want it to keep on happening on an ongoing basis without any end in sight," he says. "We will see more attacks on hospitals and we will see people dying as a result of those attacks. We will see companies going out of business. We will see intellectual property being stolen so on and so forth. It will be a continual ongoing problem."
It's not very clear what room for maneuvering is left for incident response companies to assist their clients with ransomware attacks and whether providing information about the attackers, engaging with them to test whether they're able to actually decrypt files or to negotiate a lower ransom would qualify as "facilitating" a transaction under the OFAC regulations. "Frankly, that puts us in an interesting situation with a client, where we say: 'Hey, we are not able to facilitate payments. Can we still negotiate on your behalf? Absolutely. And we can validate all the keys and do all of those things to get you to the point where you can do a transaction but we cannot do a transaction'," Kurtis Minder, CEO of threat intelligence firm GroupSense, tells CSO.
GroupSense's services are based on the threat intelligence the company gathers from cybercriminal forums and underground marketplaces, where they've built fake personas to monitor threat actors and the data they put up for sale. The company announced a ransomware negotiation service in September that includes evaluating and engaging with threat actors, developing negotiation strategies to lower the payment demands and even managing the cryptocurrency transactions. The part on handling payments would now put them at risk of violating OFAC's regulations.
"At the beginning of every negotiation we make several very strong recommendations [to customers]," Minder says. "One of them is that they involve law enforcement and the FBI. So now we can tell them: 'Look, we can help you get to a financial resolution, to the point of the transaction, but we have to stop at the transaction because of this. You need to take it back to law enforcement and ask for direction, because it's the mandate from the government'."
On the other hand, Minder described the Department of Treasury's position as "a little bit tone deaf" because it does not offer an alternative to victims. In his opinion, if the government wants companies to stop making ransomware payments, it should offer a relief program that includes subsidies for ransomware victims to help them not go out of business because of it. "I agree with the premise of what they're trying to achieve, but without offering assistance to companies who are in this situation, it's not actually going to be effective," he says. "It's just going to drive behavior underground."
The advisory might also have big implications for the cyberinsurance market, according to Rick Betterley of Betterley Risk Consultants, an independent risk management consulting firm that releases periodic reports on specialty lines insurance products, including cyberinsurance.
Betterley agrees that the presence of insurance makes it easier for victims to pay ransom demands, but he doesn't believe that victims would be better off without insurance or that a large number of insurance companies force their customers to pay ransoms. That's because while the costs of responding to a ransomware attack and rebuilding systems are covered by insurance policies, the losses companies incur from business interruptions are typically not or nowhere near to the full extent, and those are the losses that could drive a company out of business. So, while some insurance companies are maybe taking the cheaper way out, the decision to pay ransoms is also driven to a large extent by victims' desire to stay in business.
There's no question that having insurance makes it easier for victims to pay, but if there were no insurance coverage for these ransom payments, a lot of victims would still likely pay. It would be harder to come up with those funds, but the choice would be between that or going out of business, Betterley says. "The big problem I think is going to be that insurance companies will not pay a claim that violates a government mandate that says those claims cannot be paid, so I think we have a really big insurance problem with the US Treasury actions."
This might serve as an opportunity for insurance companies to take out ransomware coverage out of their cyberinsurance products if they conclude that they're not getting high enough premiums compared to the amount of ransomware-related claims they have to pay. In January, Reuters reported that US insurers have ramped up cyberinsurance rates by as much as 25% and Allianz was even analyzing whether ransomware insurance should be broken off into a separate product from general cyberinsurance.
"This is one of those good examples of where a small extra benefit of an insurance policy turns out to be very valuable from the insured standpoint and a big problem from the insurance company standpoint," Betterley says.
It wouldn't surprise Betterley if insurance companies decided to withdraw ransomware coverage. While that would be a big deal, it wouldn't be Earth shattering as far as how many companies would still decide to buy the rest of cyberinsurance coverage.
“Ransomware attacks are a growing problem – increasingly so since the pandemic hit – and last week’s OFAC advisory underscores the seriousness with which the US government takes them," the Insurance Information Institute, an insurance industry association, tells CSO via email. "The threat to US businesses of being extorted – as well as of running afoul of OFAC – reinforces the importance of cyber best practices, which includes backing up all mission-critical data. Many insurers are working with their clients to put such practices in place and taking a variety of other steps to address the threat of ransomware attacks."