Ransomware law is becoming more important as attacks skyrocket. What is the government doing about it — and are they unfairly sanctioning victims?
You’re Hit!
You roll into the office at 8 a.m. on Monday, grab a cup of coffee, sit down and fire up your computer monitor. But instead of your normal desktop background, a sinister message stares back:
“Your files have been encrypted. Send five bitcoin to the following address to get the decryption key.”
Your heart sinks. You run to another computer. No dice. No matter where you go, no matter what you do, the same message greets you. It’s official: You’ve been hit with a ransomware attack! And if you don’t navigate things cleanly, you could end up doing irreparable damage to your business and reputation.
Ransomware Attacks Are On the Rise
According to a recent white paper by Sophos, nearly 51 percent of the surveyed organizations had suffered a ransomware attack. Some were lucky enough to have backups, but about 26 percent of the companies ended up paying the ransom.
Notably — and perhaps shockingly — Sophos’ study participants were mid- to large-sized companies, and a significant number of them didn’t have enough ransomware insurance to pay the demand.
Alarmingly, experts expect these types of attacks to increase drastically as remote working becomes the norm. After all, most people don’t deploy industrial infosec protections on their home networks, nor do they follow security protocols forcibly observed in office environments.
OFAC Ransomware Law Advisory
A recent advisory by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently announced a hard stance against ransomware attacks. OFAC enforces economic and trade sanctions against regimes, terrorists, and other parties engaged in illegal cross-border activities.
Ransomware Law: Sanctions Are Relentless
OFAC already slapped several attackers under its sanctions program, including the creators of WannaCry ransomware, Cryptolocker ransomware, and Dridex malware. Dealing with anyone on the OFAC list could invite sanctions — and “dealing” can include material assistance.
So what does this relate to your ransomware case?
If the person or group demanding payment is on OFAC’s naughty list, any money you pay to them — including ransom demands — may be considered “facilitating or providing financial support” and, therefore, subject to civil penalties. The government isn’t big on excuses, and it doesn’t care if you were unaware of the ransomware sanctions list; if you break the rules, they will make you pay.
In other words, if you fork over a cyber-hijacking ransom to the wrong person, the government can slap you with sanctions.
Identifying Attackers Is Nearly Impossible, But Feds Will Still Slap You With Sanction Fines
To complicate matters, most ransomware attacks use new crypto wallets. As such, it’s nearly impossible to identify OFAC-identified parties before engaging with them. Malware signatures can reveal attackers’ identities, but scam operations are becoming increasingly sophisticated, and they’re hiding their footprints much more effectively.
But OFAC violations qualify as strict liabilities, meaning even if you didn’t know or had no reason to know you were engaging with a blackballed party, the feds can still hold you liable. Not great, Bob.
What Is OFAC Signaling With Its Ransomware Legal Advisory?
So what’s the point of the advisory if it’s almost impossible to determine if a given ransomware attacker is on the OFAC list? Well, the department’s objective is to discourage businesses from paying ransomware demands. The advisory cautions that “facilitating a ransomware payment…may enable criminals….and may also embolden cyber actors to engage in future attacks.”
But when faced with losing an entire business or giving in to a ransom demand, it’s understandable why people choose to pay. However, the stakes for doing so just got higher, so think it over carefully — and call an attorney well versed in ransomware law before you do anything!
Connect With a Ransomware Law Attorney
Attorney Aaron Kelly has considerable experience working on data breach issues. If you need the help or advice of a lawyer with a proven ransomware law track record, get in touch today.
Sources:
https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
https://redtape.substack.com/p/whats-it-really-like-to-negotiate