Posted by Michael Titens
Ransomware attackers are concentrating their efforts on hospitals and other health care providers according to a warning issued by the FBI and other government agencies on October 28. Attackers know that prolonged computer shutdowns in hospitals can be catastrophic and that hospital administrators may have few viable alternatives to making a ransom payment, making hospitals desirable targets. Numerous hospitals have already been hit, leading to postponed procedures and at least one patient death reported by the Washington Post.
Ransomware is not new but attackers have adapted their methods to increase the pressure on victims. In addition to blocking access to computer system and encrypting data, modern ransomware attackers also attempt to encrypt data backups, making it far more difficult for a victim to recover its files without paying the ransom. Furthermore, researchers have found that in nearly half of all ransomware attacks, attackers exfiltrate data from a victim’s network, including personal information of customers and employees. The attackers then threaten to release the data publicly on “walls of shame” unless the ransom is paid. Delays in payment result in partial data releases and threats to release more. As a result, even when a victim can rebuild its network and recover its files without agreeing to attacker demands, the threat of public data disclosure often compels the victim to pay the ransom.
Ransomware responders have adapted to this new environment. In addition to restoring a victim’s network, some forensics firms and cyber insurance providers assist with ransom negotiations and, if necessary, facilitate ransom payments. With more cyber insurance policies providing coverage for ransom payments, cost is less of an impediment to payment. And as ransom payments become more routine, attackers expand their criminal activities.
Counteracting this trend, and increasing the risks for ransomware victims, U.S. government agencies issued advisories last month warning that ransomware payments to certain attackers could violate U.S. sanctions laws. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC has already imposed sanctions on organizations and individuals located in Russia, North Korea, and Iran and plans to continue adding other cyber actors to its list of specially designated nationals. Under U.S. sanctions law, making or facilitating payments, directly or indirectly, with specially designated nationals is prohibited. A party making such a payment, as well as others involved in the process such as forensics firms and insurance providers, can be held civilly liable even if they did not know they were dealing with a sanctioned group or individual at the time the payment was made.
As part of its strategy to deter ransom payments, the government is also targeting other potential participants in a ransomware transaction. The OFAC warning specifically identifies financial institutions, cyber insurance carriers, and incident response firms that facilitate ransom payments as potential violators of U.S. sanctions laws. Furthermore, at the same time OFAC issued its warning, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an advisory to banks and other financial intermediaries that they should file Suspicious Activity Reports and comply with related regulations whenever they participate in any aspect of a ransom transaction. Not only ransomware victims, but also the firms they choose to assist them in responding to an attack, must now reevaluate the costs and benefits of making a ransom payment, particularly where the attacker’s identity is unknown or the attacker is suspected to have already been designated by OFAC for sanctions.
The new guidance bolsters law enforcement’s view that victims should promptly report cyber incidents to the proper authorities (typically the FBI or Secret Service) and should not make ransomware payments. According to the OFAC advisory, “OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
While we anticipate that victims will still give serious consideration to making ransom payments, reasonable compliance procedures of forensics firms and financial intermediaries, including a possible requirement to involve law enforcement, may complicate any response. Furthermore, cyber insurance carriers may be reluctant to provide coverage for certain ransom payments. We have even heard that some insurance carriers may attempt to deny coverage for notification, legal, and other expenses related to a ransomware attack perpetrated by a sanctioned group.
So what can a business do in light of these increasing costs and risks associated with ransomware? Companies should take steps to minimize the likelihood and impact of any potential attack. For example, phishing e-mails are one of the most common attack vectors for ransomware. Network users should be trained to identify and avoid malicious e-mail and in particular, malicious e-mail attachments such as those masquerading as Google Docs or .pdf attachments. Also, businesses should maintain off-line back-ups of their network data and should consider segmenting their networks to restrict the ability of an intruder to move laterally within the network. Other suggestions can be found in the recent advisory from the Cybersecurity and Infrastructure Agency and in this update from our friends at Stroz Friedberg.
Ransomware remains a threat to businesses large and small. Recent attacks in the healthcare industry illustrate the potentially dire consequences of a network disruption. For advice and assistance preparing for, or responding to, a ransomware attack, please contact any member of the Thompson & Knight cybersecurity team.
Comments