Ransomware negotiators may have to pay up in new ways if they intercede with cybercriminals on companies’ behalf. Several researchers weighed in on the wisdom of the move, with mixed reactions.
The U.S. Department of the Treasury said Thursday that companies that facilitate ransomware payments to cyber-actors on behalf of victims may face sanctions for encouraging crime and future ransomware payment demands. These facilitators can fall into multiple camps, including financial institutions, cyber-insurance firms, and security firms involved in digital forensics and incident response.
The department has added multiple crimeware gangs to its sanctions program, prohibiting U.S. entities or citizens from doing business with them (i.e., pay a ransom). These include the developer of CryptoLocker, Evgeniy Mikhailovich Bogachev; the SamSam ransomware group; North Korea-linked Lazarus Group; and Evil Corp and its leader, Maksim Yakubets. This latest policy expands the sanctions’ applicability to anyone dealing with ransomware operators in general.
“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber-actors to engage in future attacks,” according to a website notice on the policy. “In addition, paying a ransom to cyber-actors does not guarantee that the victim will regain access to its stolen data.”
The Tresasury Department added that a lack of knowledge of the sanctions’ existence is not an excuse, and that people could still be held civilly liable in that case. However, if a company makes a “self-initiated, timely and complete report of a ransomware attack to law enforcement,” this will be taken into account and could lower any penalties for the organization.
The department did not specify the amount of any potential penalty.
To Pay or Not to Pay
While the feds have always recommended not paying ransoms, in reality, the decision to pay up or to not is an individual choice that has to be made given the context of any given situation, researchers said. Businesses that don’t have backups may be desperate to get their data back, for instance; or, many times, the ransomware payment is less than alternate investigation and remediation would cost (and often, firms can intercede for them and reduce the amount being extorted). Also, many gangs are stealing data as well, so sensitive data exposure is another consideration.
Because of that, the Treasury Department’s move could end up being counterproductive, some said.
“Penalizing businesses that pay off attackers sounds like it will make ransomware less lucrative,” said Melody Kaufmann, cybersecurity specialist for Saviynt, said via email. “The converse is true. This advisory will propagate ransomware rather than reduce it for three key reasons. First, it disincentivizes reporting ransomware attacks, robbing law enforcement, security professionals, and analysts of data vital to combat future attacks. Second, it fails to provide an effective data recovery alternative. Third, it favors big corporations while crushing small- to medium-sized businesses beneath its heel.”
Small and medium businesses are notorious for having weak security because maintaining an information security team is often cost-prohibitive. Lack of security increases their risk and the likelihood of infection, she added.
“This advisory discourages them from contacting law enforcement by increasing the chance of a fine,” she added. “Often paying the ransom is cheaper than the cost of losing their data or recovering from back-ups, which few small businesses even maintain. The treasury department will only learn of a ransomware attack on a small or medium business via a disgruntled employee or a media outlet reporting it.”
Tim Erlin, vice president of product management and strategy at Tripwire, added that ransomware affects every segment.
“It’s not just commercial organizations that have paid out for ransomware incidents,” he said via email. “There have been government agencies, cities and police departments that have fallen victim and ultimately paid the ransom as well. It’s easy to say that you should never pay the ransom because it just encourages more ransomware, but it’s much harder to follow one’s own advice when faced with the potential for sensitive data loss, publication, or the loss of your business.”
Not everyone saw the move as problematic.
“We need to change the economics of the bad guys if we want anything to change,” CynergisTek CEO Caleb Barlow said. “Ransomware payment got so much more difficult to do. The fact they’re using the Treasury Department to do this is brilliant. The reach of US Treasury is far broader – [and] applies to U.S. companies, allies, citizens – that they cannot aid and abet the enemy. A ransomware payment is no longer a get out of free jail card. Enterprises have to invest in defenses.”
He added that the fact that Garmin recently, knowingly paid an adversary on the sanction list “likely accelerated this decision.”
Nozomi Networks CEO Edgard Capdevielle also fell into the “don’t pay” camp.
“While it might be tempting to pay a ransom, doing so only fuels the fire,” he said via email. “We are seeing more instances where the public and private sector respond to the pressure and pay the ransom…choosing to pay a ransom is too often a short-sighted response that could come at a high cost. Research has shown that paying a ransom can double the cost of recovery. Building, maintaining and constantly improving an organization’s cybersecurity program is always the best approach and there are certainly tools available today that provide cost effective solutions.”
He added, “Organizations that give into hackers’ demands are only supporting the profitability and growth of ransomware activity. When it comes to ransomware attacks, prevention will always be better than a cure.”
One thing is certain – ransomware has reached epidemic proportions, according to Charles Carmakal, SVP and CTO of FireEye Mandiant.
“Ransomware is the most significant and prevalent cybersecurity threat facing corporations today,” he said. “Today’s ransomware and extortion problem is unbearable. Many ransomware operators steal a large volume of sensitive data from organizations prior to deploying encryptors and locking organizations out of their systems and data. Threat actors may ask for money for a decryption tool, a promise to not publish the stolen data, and a walkthrough of how they broke into the network.”
He said that these types of extortion demands are in the six-figure range for smaller companies and between seven and eight figures for larger companies.
“We are aware of several victim organizations that paid extortion demands between $10 million and $30 million,” he said. “Mandiant is aware of over 100 organizations in which ransomware operators had network access to in September alone, more than double what we were aware of in September of the previous year.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.