2020 will be known for a lot of things. But between COVID-19, the presidential election, the death of NBA legend Kobe Bryant, and the rise of Among Us, it’s safe to say a surge in ransomware attacks won’t be making the cut for this year’s greatest (and not-so-greatest) hits. In a year rife with “can’t catch a break” moments, an increase in ransomware attacks is here to make things just a little bit worse.
A type of malware that holds victims hostage by threatening to leak or block access to critical data, ransomware joins video chat developers and mask manufacturers as one of few industries that has enjoyed a fruitful calendar year.
The rise in ransomware, both in overall incidents and monetary demands, is thought to be tied directly to the world’s response to the COVID-19 pandemic. With many businesses opting out of meeting face to face on a regular basis and allowing workers to clock their hours from home, the world’s dependency on digital technologies grew exponentially in 2020. Events like in-person meetings, classroom sessions, and even your daily commute have all been thrust online.
IBM Security X-Force states that ransom demands have increased significantly in 2020, with June serving as one of the busiest months in recent memory. One-third of all the ransomware attacks remediated by IBM Security X-Force took place in June (as of September). The company also states that ransomware was responsible for a quarter of all the incidents it responded to this year.
Ransom amounts vary from industry to industry, but IBM has seen demands range from a few hundred thousand dollars, all the way up to a soul-crushing $40 million. The problem is most companies have no choice but to pay, and do so pretty quickly. Whether it’s the fear of having sensitive information hit the web or simply being unwilling to sacrifice incoming revenue from a halt in operations, paying the ransom is often the path of least resistance.
Well, that was the case until the United States government made its presence felt. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on Oct. 1, demanding that companies not facilitate ransomware payments unless they want to, as it turns out, pay an additional fine…
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” OFAC wrote in a statement.
RECENT POSTS
“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”
This is probably not the sort of development that ransomware victims were hoping for. Already caught in a difficult situation, the OFAC’s recent advisory is making things even more difficult as companies try to navigate toward the right response (think being stuck between a rock and a hard place… while the rock was covered in ants and the hard place was on fire).
Consider the nightmare scenario that hit the city of Baltimore in 2019. The city was struck with a ransomware attack where malicious actors demanded a little under $80,000 to unlock the city’s government servers. The city took the high road and refused to reward criminal behavior — a decision that wound up costing the city more than $18 million in remediation, hardware, and lost or deferred revenue. The city cited unwavering morals and advice from federal agencies as a justification for cost.
So what should organizations do in place of paying those ransoms? Prevent them altogether, according to OFAC.
“As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” the advisory states. “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services).”
But, considering we’ve been asking folks not to click on foreign links to no avail for years, it’s clear mitigation is easier said than done.
What do you think? Should companies even consider paying ransomware demands? Let us know in the comments below.