Leading-Edge Law: Is it illegal to pay ransomware?
Is it now illegal for your business to pay ransomware if its computer system gets cryptolocked?
To understand the pros and cons of possibly paying, first look at how ransomware usually works.
Ransomware attacks generally come from sophisticated criminal organizations. It’s not just one bad person with a cryptolocking program. These groups are usually based in Russia or other former Soviet republics.
Ransomware attackers demand payment in cryptocurrency, usually Bitcoin. The average ransomware payment is $140,000. Average computer-system downtime is 23 days.
Sensei Enterprises, a technology, cybersecurity, and digital forensics firm in Fairfax, said paying ransomware rarely fixes the problem. (Full disclosure: my firm is a Sensei client.)
Paying ransom is tempting financially. Sensei says the cost of remediation is often 10 times the ransom demand.
But paying ransom doesn’t mean everything gets restored. Sensei says only 8% of victims who pay ransomware get back all their data. Only 29% get back even half. The decryption key the bad actor provides after the ransom is paid is often ineffective or suffused with malware.
On top of that, the bad actor usually infiltrates a computer system before cryptolocking it. About 81% of ransomware cases involve data theft. The bad actor often leaks or sells that data.
Ransomware attackers often attempt to hit the same victim for two payments: a first one to undo the ransomware cryptolock and a second one to not publicly release the victim’s data (which promise may be broken).
Ransomware attacks are getting worse.
The U.S. Treasury Department believes ransomware payments have roughly doubled this year. In the first six months of 2021, it identified roughly $5.2 billion in bitcoin payments as likely ransomware payments.
According to Sensei, ransomware attackers largely moved from targeting large companies to small and mid-sized ones due to severe actions by the government, the military, and private companies, which caused pain to the cybercriminals, who hope to avoid future punishments by avoiding “big game” companies.
The escalation in ransomware is affecting cyber insurance.
Insurers are increasing premiums massively and reducing coverage, both in terms of total monetary coverage and coverage exclusions. Some cyber-insurance companies are inserting a clause entitling them to decline coverage when it appears the attack was made by a foreign governmental entity or one working at its behest.
The U.S. government strongly prefers that you not pay ransom because doing so encourages cryptolock attacks.
In late September, the Treasury Department’s Office of Foreign Assets Control updated its guidance on whether it might sanction companies that pay ransomware. The agency bases this sanction threat on its power to ban U.S. persons from doing business with certain foreign bad actors and to sanction U.S. persons who do such business.
The agency publishes an embargo list of malevolent countries, organizations and people — places from which ransomware and other cyber attacks frequently emanate. Most of the banned organizations and people are in Russia and other former Soviet republics.
If your business gets hit by a ransomware attack, it probably will be impossible to know whether the malefactor that hit you is on that embargo list. These ransomware organizations frequently change their names to throw off law enforcement.
The agency states it can sanction you even if you didn’t know you were paying ransomware to an entity on the embargo list. But even the U.S. government has a hard time determining exactly who is behind many ransomware attacks. Thus, practically speaking, one wonders whether sanctions are likely to be imposed on companies paying ransomware.
In the end, the federal agency does not universally prohibit companies from paying ransomware. It doesn’t have the legal power to do so. Many companies will continue to pay.
What should you do?
Sensei counsels that every company should have an incident response plan for what to do if hit. In the plan, the most important thing is to have an experienced data-breach lawyer on call. That person will know the rules of engagement, have ongoing relationships with relevant governmental organizations, and may be familiar with some ransomware groups.
Above all, don’t be a soft target. Harden your systems and organization against a ransomware attack. Back up your data into a secure place. Keep software patches up to date. Do cybersecurity training for employees. Using multi-factor authentication of computer-system users.
The federal agency says it will consider how well your company steeled itself against a ransomware attack in judging whether to sanction your company if it unwittingly pays ransomware to an embargoed entity.
It also says it would be more lenient with ransomware victims who promptly report attacks to appropriate law-enforcement, such as the Cybersecurity and Infrastructure Security Agency (part of the Department of Homeland Security), the local FBI field office, the FBI Internet Crime Complaint Center, or the local U.S. Secret Service office.
To paraphrase a hit song from the Temptations, you better get ready, ‘cause here they come. If you don’t, you may end up like another Temptations hit, a ball of confusion.
John B. Farmer is a lawyer with Leading-Edge Law Group PLC, which specializes in intellectual property law. He can be reached at www.leadingedgelaw.com.