While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire. As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020. The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment. OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.
Octillo is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.
A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:
The Incident
Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid. When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Octillo, and your cybersecurity insurance carrier.
Common Questions
In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward? Is it allowed? And if there are no other options for remediation and restoring from backups, how is it done?
The Response to Ransom Demands
Depending on the situation, ransoms are sometimes paid. This is not a default position, but can be the necessary and most logical step in response to a ransomware incident. Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment. Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group.
OFAC’s Impact
The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions. The advisory serves as a reminder of existing practices and policies:
- Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
- Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
- Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
- Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required. Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.
The Result
OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm. If your company finds itself under attack, look to experienced incident response lawyers, like Octillo, to help. As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise. By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.
Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.
*Attorney Advertising. Prior results do not guarantee future outcomes.
Subscribe to our Newsletter.