Note to the CFO: Please Don’t Pay Ransoms
The Department of the Treasury has issued guidance: Paying off or facilitating a payment related to ransomware can be illegal.
As you read through this, ask yourself these questions:
- Do you have a written Incident Response Plan, including team roles and responsibilities, security policies, procedures, and controls?
- Do you run tabletop exercise to validates your processes against real-world scenarios?
- Who gets the first call? The second call?
For most businesses, being hit with ransomware is devastating. Trust us, we’ve gotten the call repeatedly from unprepared companies and the sense of dread they experience can be overwhelming. In this article we discuss the steps to take to bolster your Company’s Incident Response Readiness, but first, let’s talk about the danger.
For those who are unfamiliar, NIST, the National Institute for Standards and Technology, defines Ransomware as: “A type of malware that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.”
As a frequent reader of Layer 8 Security blogs (if you’re not following us yet, now is the time;-), you’ll know that we’ve shared several strong reasons not to pay off the thieves.
- There is no guarantee that paying the ransom will get your data back.
- In addition to encouraging the attackers by paying, you identify yourself as a “known payer” to the attackers so they can target you again.
To be clear, your willingness to give in might lead to future attacks. Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States.
Beyond the meta-reasoning that none-of-us should negotiate with criminals, the Department of the Treasury has issued guidance suggesting that payment could run afoul of the law. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities, which can be found here: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
The OFAC has as a list of international “bad actors” who perpetrate malware attacks. The thinking is clear: the OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities. “If you pay off a ransomware attacker on the list, you enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.” In summary, lack of preparation for an attack may not only cause you to feel required to risk money to retrieve your data and systems it could further subject you to sanctions for supporting illicit activity.
Alternatively, proactive organizations are preparing themselves by assessing their current level of cyber resilience and readying for the inevitable. While a mature, comprehensive Information Security Program is your safest course of action, one facet of a Program every entity should understand is its current level of Incident Response Readiness. Do you have a written Incident Response Plan, including team roles and responsibilities, security policies, procedures, and controls? Do you run tabletop exercise to validates your processes against real-world scenarios? Who get’s the first call? The second call?
For a more in-depth treatment on Incident Response Readiness, I invite you to check out the following service listing:
https://layer8security.com/services/incident-response-readiness-program/. Regardless of your current state, Layer 8 Security is here to help.
BACK TO BLOGS