The Ransomware Dilemma
By Peter Machtiger
The first week of October, the Treasury Department’s Office of Foreign Assets Control (OFAC), which enforces economic and trade sanctions policies, released an advisory memorandum describing the potential sanctions risks associated with ransomware payments. The memorandum illustrates the current dilemma facing victims of ransomware, which have continued to grow in number (with ransomware attacks increasing 37% from 2018 to 2019). This piece will examine the current ransomware sanctions landscape and potential implications of the current landscape, while finally proposing some ways to address the problem of ransomware moving forward.
The Current Ransomware Sanctions Landscape
“Ransomware” is generally short-hand for when malicious cyber actors gain access to a computer system, encrypt the data they find, and extort the owner of the system for a ransom payment in exchange for decrypting the data and restoring the owner’s access. As the number of ransomware incidents has grown, OFAC has designated under various sanctions programs several of its biggest perpetrators, including the Russian developer of the “Cryptolocker” ransomware, two Iranian individuals involved with the “SamSam” ransomware, the North Korean Lazarus Group linked to the “WannaCry 2.0” ransomware, and the Russia-based group “Evil Corp.”
Under the authority of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), OFAC can impose financial penalties on those that engage in transactions with sanctioned individuals or entities. In the context of ransomware, this can include victims that pay the requested ransom to a designated group or, according to the OFAC guidance, financial institutions that help process such payments and companies that provide cyber insurance. In theory, ransomware victims can request a license from OFAC to pay a particular ransom, but these requests carry a “presumption of denial.”
Implications of OFAC Enforcement Actions Against Ransom Payers
As mentioned in the new OFAC guidance, these penalties were always possible, but had not previously been laid out so explicitly. At a macro level, discouraging ransom payments makes sense because if ransomware is profitable for cybercriminals, the amount of ransomware attacks will increase, especially as the “attack surface” grows (i.e. more people have internet-connected devices that can be exploited). But, the possibility of OFAC enforcement actions puts victims of ransomware in a tough position. In a world without the possibility of sanctions, paying the ransom would often make more financial sense for ransomware victims than grinding their business to a halt for an undetermined period of time while they try to recover their data. However, with the possibility of an OFAC enforcement action for paying a ransom, victims of ransomware must choose between two bad options: if they pay the ransom, they face the financial consequences of an enforcement action, and if they do not pay the ransom, they face the potential ruin of their business if they do not regain access to their data. This is the “ransomware dilemma.” The decision gets even harder in cases like recent ransomware attacks on hospitals, where patients may die as a result of the ransomware attack.
If companies become victims of ransomware, the current landscape presents two general paths: compliant and non-compliant. A generally compliant victim will immediately contact the Federal Bureau of Investigation and, upon learning that the cybercriminal is part of a group designated for sanctions, contact OFAC to request a license (which will likely be denied). If it is unclear who the perpetrators are, the victim may still be subject to civil penalties for paying a ransom if it later becomes clear that the recipient was a designated group. Depending on the data accessed, the company may also be legally required to notify its customers about the incident. If the company cannot regain access to their data, they are essentially out of options. They could try to pay the ransom anyway and hope that OFAC considers their cooperation with law enforcement a “significant mitigating factor,” but they will still probably face a penalty. Additionally, financial institutions and cyber insurance providers will likely be unwilling to assist in the ransom payment because they will risk penalties, too.
A generally non-compliant victim would try to cover-up the incident to avoid having to notify its customers of the breach and to avoid alerting OFAC. The company might try to quickly facilitate the payment via one of the more anonymous cryptocurrencies to avoid detection by OFAC. If many victims were non-compliant, law enforcement would have a much harder time taking down ransomware groups because they would not know the extent of these groups activities and how they operate. If discovered, this kind of non-compliant victim would likely face serious legal and financial consequences.
How to Address the Ransomware Dilemma Moving Forward
Companies cannot completely eliminate the risk of being ransomware victims, but there are certain steps individual companies and the government can take to mitigate the growing ransomware threat.
The best and simplest step companies can take to protect themselves is to start implementing regular complete backups of their data, maintained offline. If companies have that policy in place, they will simply be able to “reboot” their systems if faced with ransomware. Companies can also improve cybersecurity training efforts, regularly patch and update their operating systems, and adopt technical solutions that will help prevent typical malware exploits, but, realistically, many small businesses do not have the money to maintain dedicated cybersecurity personnel. Companies that pay for cyber-insurance may decide to shift some of those resources to prevention if cyber-insurance companies will no longer pay certain ransoms for fear of OFAC enforcement actions.
There are several different aspects of the ransomware problem that government can help address. First, the government can pass regulations or legislation that mandate better cybersecurity practices, like the California law banning default passwords in internet-connected devices. This might help slightly, but is unlikely to have a substantial impact on the problem. Government agencies can also continue to help companies develop better cybersecurity practices, as the Cybersecurity & Infrastructure Security Agency (CISA) has done to great effect since its inception. More significant might be an aggressive government approach to regulating cryptocurrency exchanges. If cryptocurrency becomes an untenable method for receiving ransomware payments, cybercriminals would have a much harder time getting paid, making ransomware a less profitable endeavor. Next, prosecutors can continue to indict cybercriminals, which may not lead to arrests in countries that do not have a strong relationship with the United States, but which may discourage the named criminals from further major attacks. Finally, a government campaign of “persistent engagement” by U.S. Cyber Command (CYBERCOM) to disrupt cybercriminals might deter ransomware attempts. This might be going on more than has been publicly disclosed, as CYBERCOM has reportedly been mounting a campaign to disrupt the “Trickbot” botnet, which has delivered ransomware within the U.S.
Conclusion: The Status Quo is Not Viable Long-Term
The recent OFAC guidance makes sense as a step towards the long-term goal of curbing ransomware. However, until there is a coordinated government approach to addressing ransomware, OFAC enforcement actions just place companies in the middle of an unfortunate dilemma. Companies should do what they can to decrease their vulnerability to ransomware, but new government policies are necessary to make ransomware less economically viable for cybercriminals.
Peter Machtiger is a student at NYU School of Law, where he has been a Student Scholar at the Reiss Center on Law and Security, Co-President of the National Security Law Society, and currently serves as a Contributing Editor for NYU Wagner Review. Prior to law school, he was an infantry officer in the United States Marine Corps. Peter has a BA from Harvard University in Government.