The recent advisory issued by the Office of Foreign Assets Control (OFAC) reminded companies to be wary of potential government sanctions when making ransomware payments. There has been an overall increase in state-sponsored attacks during the pandemic, particularly on financial and health care institutions. It makes sense that the OFAC would want companies (and their insurers, who often facilitate payments) to be especially cautious during these times.
So, exactly how worried should you be about a state-sponsored attack, and what can you do to protect yourself?
A State of Uncertainty
One of the most frustrating aspects of a ransomware attack is not knowing who exactly is demanding the ransom. Sometimes the identity of the attacker isn’t revealed until years later, as in the case of the major Equifax and Marriott breaches. As discussed in a previous blog, they occurred in 2017 and 2018, but they were not formally linked to the Chinese government until this year.
Another major case involves the ransomware virus NotPetya, which was deployed by a Russian group against businesses in Ukraine in 2017. The same group may also be involved in hacks connected to the 2018 Winter Olympics in South Korea and 2016 U.S. presidential election, according to The Washington Post.
In both of these instances it took the government years to definitively link these major ransomware attacks to foreign groups. These groups, which are often operating with direction and support from an established nation state, are also known as advance persistent threat (APT) groups. Due to abundant resources at their disposal, their techniques continue to evolve more quickly than we can keep up with, which unfortunately means that federal response is often delayed. It may also mean that more ransomware attacks are linked to APT groups than we currently realize.
How Companies Can Respond
Companies that are victims of ransomware attacks are therefore in an impossible situation. In some cases, they risk huge financial fallout by not paying the ransom. There is also the concern that they may be unknowingly making a payment to a sanctioned APT group.
The best way for a company to proceed in the event of any cyberattack is to consult with their own vendors (whether that be an insurer, legal counsel, or both), as well as follow federal guidelines. As outlined in the OFAC advisory, there are a number of lists maintained by the government that note known criminals. Companies are required to follow these guidelines and report cyberattacks, and this will help mitigate the chance of making an unsanctioned payment to an APT group.
Just as important as having a good response plan is having a solid prevention plan in place. If your cybersecurity plan is thorough and up to date, it should be just as effective in protecting against APT groups as any other cybercriminal. Invest in multifactor authentication systems to prevent someone from accessing your system with stolen login credentials.
Train your employees to recognize fake emails from likely hackers. Test your data backups. Practice your business continuity plans. And consult with your cyber broker! At Risk Strategies we have extensive experience in handling these situations, and we are more than happy to help you protect your business and employees.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
Email me directly at polohan@risk-strategies.com.