Ransomware Part II — Ignore Ransom Demands

As discussed in Part I, How to Avoid a Ransomware Payment, insurers strongly discourage paying criminals. Meeting a ransom demand rarely brings relief for the victim, and it emboldens bad actors to continue this type of attack. If ransomware has blocked and locked your organization’s computers and files, you need to engage your legal counsel and insurance company immediately. Here’s an important reason to ignore ransom demands, along with tips for avoiding a ransomware attack in the first place.  

Paying a ransom can land you in hot water 

Most organizations train employees on how to avoid corrupt bribes and payments when conducting business overseas. A ransomware payment can fall into the category of prohibited transactions. 

In October 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to businesses and coordinators of ransomware payments. It said organizations can face strict civil and criminal penalties for supporting, paying, or assisting bad actors listed on the OFAC’s Blocked Persons List.  

Similarly, the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a warning in October 2020 to financial institutions. It noted that involvement in ransomware transactions may be a “money transition” subject to additional accountability. 

Unfortunately, it can take a prolonged time to verify if a ransomware attack is coming from an actor on the Blocked Persons (SDN) list. Typically, a company will engage a third-party forensic investigation through their cyber insurance carrier, and OFAC will perform another independent investigation.  

If, months after a ransom payment, the OFAC investigation discovers the payment unknowingly went to a listed actor, your organization could still face sanctions. Also, if either investigation turns up a connection, the insurance company will not assist with the payment. Your organization takes on all the risk and expense, with no guarantee of getting back what you need from the attacker. 

Defending against ransomware attacks 

Paying a ransomware demand encourages bad actors, with only a small chance of getting the data restored. The best response to this cyber risk is setting up a secure defense to prevent a ransomware attack.  

If you have not already implemented these five steps, your digital assets are in jeopardy:  

1. Multifactor authentication — First, put in place simple security measures to prevent one employee’s outdated password from exposing your whole organization. 
   
2. Employee training — Lack of employee awareness is the easiest way for a bad actor to spread malware, particularly through phishing scams. Invest in your people and teach them to be prepared.
3. Backups — Optimize your data recovery by having an offsite or cloud backup system, isolated (“air gapped”) from the main network. If your main network experiences a ransomware attack, you can get operations up and running without acceding to demands.
4. Security tools — Cybersecurity best practices call for a suite of tools that continuously monitor and collect data, looking for threat patterns. Categories include intrusion prevention; file integrity monitoring; database activity monitoring; security information and event management; and endpoint detection and response. If these tools detect anomalies, you can investigate proactively, with the goal of stopping an attack before it compromises your data.
5. Incident response plan — Plan for a worst-case scenario. If a ransomware attack occurs, what steps will you take to recover? Test your systems regularly to see how quickly you can resume operations after an incident. 

With ransomware, there is no ideal scenario. Companies risk losing money, data, and their reputation — and paying the ransom could do little to restore it all. Preparing your network security and controls with a robust defense and recovery strategy will put your business in a stronger position to ignore ransom demands if an attack occurs.