October 07, 2020
U.S. Government Issues Advisory on Ransom Payment Risks
The United States Department of Treasury Office of Foreign Assets Control (OFAC) issued an advisory yesterday regarding the risks of paying ransom payments in the event of a cyberattack.
The advisory references the increase in demands for ransomware payments during the COVID-19 pandemic and states, “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Even the payment of a ransom demand by a cyber insurance firm comes with risk. “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.” Essentially, in making a ransom payment, you may be sending funds to an individual or organization associated with an embargoed country.
Also worth noting is the acknowledgment of the fact that facilitating a ransom payment doesn’t necessarily bring a business out of the woods during an attack. Recent attacks have shown us that simply paying the ransom doesn’t always give users access back to their data. Earlier this year, a cloud service provider was hit with ransomware and while they were able to stop the attacker from encrypting the files, they still weren’t in the clear. The victims still had to pay a ransom when the hackers stole data from their network and threatened to leak it.
“Unfortunately there is no silver bullet to stop ransomware, so ensuring your business is prepared to handle this threat requires evaluating both people and technology,” said Chris Henderson, Director of Information Security at Datto. “Test your employees and identify those who need additional training, catering that training to the specific employees that could use more guidance. Endpoint antivirus and endpoint detection and response (EDR) solutions can help assist the uncontrolled spread of ransomware if it gets into your environment. A robust BCDR solution is a great safeguard against ransomware - just ensure you have tested your recovery plan and documented it to decrease the overall recovery time in the event of a disaster.”
Businesses should have a multi-layered plan to protect against and respond to ransomware attacks. There’s no one solution or approach that can defend a business. Consider the following tactics and tools:
- Education: Ensure staff is aware of the risks associated with ransomware. The better they are at identifying a potential attack, the less risk a business will face.
- Antivirus: A common tool for businesses but the importance cannot be overstated. This is the first tool a business should implement in their ransomware prevention strategy.
- Business continuity and disaster recovery (BCDR): If an attack successfully encrypts business data, it’s crucial to gain access to business-critical systems as soon as possible. BCDR enables just that, with businesses able to spin up their operations to avoid lost revenue as a result of downtime.
“For businesses who don’t have time to focus their efforts on their IT needs and the always-evolving threat landscape, it’s best to outsource those necessary functions to a managed service provider (MSP),” said Henderson. “MSPs are advisors in all-things IT that can provide a thorough ransomware prevention plan for their clients through education and technology, helping them focus on their own mission, rather than worry about risk.”
Moral of the story: If your recovery strategy for a ransomware event is to call your cyber insurance company and pay the ransom, you are missing key controls to guarantee recovery. Ensure your business is aware of the risks and have a robust business continuity and disaster recovery tool in place to recover data and continue business operations in the event of an attack.