Cybersecurity breaches against businesses in the form of ransomware attacks have risen drastically in recent years. These attacks can be particularly difficult on a company’s bottom line especially in conjunction with the Covid-19 pandemic. While most companies now carry insurance covering ransomware attacks; nevertheless, such an attack can leave a company’s data, servers and ability to communicate in the lurch for weeks on time, threatening business continuity.
Ransomware is a form of malware designed to encrypt files on a device rendering any files and the systems that rely on them unusable. Ransomware perpetrators then demand ransom in exchange for decryption. Put simply, ransomware attacks function as follows: the attacker gains access to the target entity’s computers, typically through some form of phishing scheme and encrypts files through malware. Once access has been gained, the attacker will “lock out” the target entity, preventing access to its data, servers, email, and the like. The attacker will then demand a certain fee from the company to unlock the encrypted data. If the company does not pay, and elects to attempt to resolve the hack through typical law enforcement channels or reconstruction of the systems and data through back-ups or other means, it could take weeks to months to regain full access. In addition to the cost to replace, this option can costs businesses thousands, hundreds of thousands or even millions of dollars if they are not able to functionally operate quickly.
So what can be done? For one thing, as previously mentioned, most companies now have cybersecurity or possibly other types of insurance policies that cover ransomware attacks. Though an insurance policy can provide some measure of peace of mind for a business, coverage is not a panacea and does not always cover the value of the lost business a victim company of a ransomware attack may suffer. For example, depending on the language of the policy, the insurance may not cover the loss of future business an extended shutdown may cause from clients moving their business elsewhere, as often occurs, either out of fear their data may be compromised or simply because a competitor company is still up and running.
The solution, at least some insurance carriers have proposed, is simple, even if it may leave a bad taste in one’s mouth: simply pay the ransom. The idea is that, once the ransom is paid, the attacker sends the encryption code and is never to be heard from again. The ransom fee may be relatively high and the victim company’s insurance premiums may increase, but the theory is that the cost pales in comparison to the potential losses typically associated with long shutdowns due to a ransomware attack.
But buyer beware, on October 1, 2020, the US Department of Treasury Office of Foreign Assets Control (“OFAC”) issued an Advisory warning to insurers and other organizations that facilitating a ransom payment to cybercriminals perpetrating ransomware attacks “not only encourage[s] future ransomware payment demands but also may risk violating OFAC regulations,” See U.S. Department of the Treasury, 2020, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” issued October 1, 2020. The OFAC regulations being referenced include the International Emergency Economic Powers Act and the Trading with the Enemy Act, which prohibit engaging in direct or indirect transactions which have been blacklisted by OFAC. The October 1, 2020 Advisory cautions that both criminal and civil sanctions could be imposed with civil fines ranging from $1,000 to $307,922 and criminal penalties ranging from $50,000-$10,000,000 and imprisonment from 10 to 30 years for willful violations. The civil violations emphasize strict liability, meaning that regardless of intent (or lack thereof) an entity that engages with a black-listed organization will be liable.
These penalties are steep, but mitigating steps can be taken by an insurer or entity that facilitates such a payment in the form of a sanctions check report. A sanctions check report typically generates information such as: the amount of the ransom payment, the Bitcoin wallet address and factors analyzed in an attempt to identify the ransom recipient (such as known or unique identifiers related to the threat actor or malware, and Blockchain analysis of the Bitcoin wallet address where the funds are being sent). A typical sanctions report also may attest that, based on the available information, it does not appear as if the ransom payment is being sent to an individual or organization identified on an OFAC sanctions list. Cooperation with criminal investigations are also considered mitigating factors as well as self-reporting any violation.
In conclusion, insurers and entities should be careful when making payments to do their due diligence on who is being paid through a sanctions check report. Though this type of check may not completely eliminate risk, it will go a long way in mitigating most of it. Insurers should also take the further step of reporting these attacks and demands to the OFAC and FBI prior to any payment being made. In the face of loss of business, the cost of ransom, and the possibility of sanctions, companies are unfortunately left with no perfect solution to this increase in ransomware vulnerability.
Alex Kelly is an Associate in the Firm’s General Litigation Group where he handles a variety of litigation matters in the Maryland district and circuit courts throughout the State of Maryland. He is also a member of the Firm’s Privacy and Cybersecurity Practice Group. Mr. Kelly can be reached at 41-769-6146 or firstname.lastname@example.org.