The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has warned users against paying to release their files after suffering ransomware attacks.
The attacks are the results of malicious software that lock important files and demand payment to release them, usually with a short time limit. Failure to do so deletes the files permanently.
Not only is the OFAC stating that the charges shouldn't be paid, it also states that doing so would violate its own regulations, and could even carry a fine. So, should businesses suffer in silence?
The Rise of Ransomware
Ransomware is software that, as the name suggests, essentially holds your computer or network hostage, and demands payment before allowing access to your files again. Victims are usually presented with a screen that shows payment information, and the currency of choice is almost always Bitcoin, thanks to the difficulty in tracing it. While anyone can be a victim of ransomware, attackers tend to go after companies and institutions rather than individuals, thanks to the much higher rewards.
With many of us working from home in 2020 due to the pandemic, ransomware is on the rise, as company security is compromised by having staff working remotely. According to one report, ransomware is expected to cost victims $20 billion in 2020.
We've already seen a number of high profile cases this year. Several colleges in both the US and UK fell foul of ransomware that came via a vulnerability in their cloud provider, Blackbaud. While Blackbaud states that no details were compromised, it did pay the ransom to release the files.
Similarly, back in August, Garmin suffered an outage which took nearly all of its services offline. Garmin released a statement stating it had been the victim of a cyberattack, and got its systems back online within four days. While it never confirmed or denied the rumor of a ransom, some news outlets reported that hackers asked the company for $10 million.
Advice from the US Treasury Department
In light of the rise of ransomware attacks, the US Treasury Department has issued a statement containing advice on how to deal with them. Essentially, it comes down to ‘don't pay', which might be a tough call for companies that are fearful of valuable company data being lost, if the ransom isn't paid within the given time limit.
The OFAC gives several reasons for not paying the ransom. One is that successful attacks only embolden hackers to go on and commit more – the theory being that the continued financial benefit will simply see the rise in ransomware attacks to continue. By not paying the ransom, the hope is that as the attacks become less and less successful, they will eventually dry up. It's the same ‘we will not negotiate with terrorists' logic that the US government has abided by for some time.
“Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.” – OFAC statement
Another reason for not paying is that the vast majority of these attacks come from overseas, usually from countries with sanctions imposed on them by the US, and sending money could fall under the authority of the ‘International Emergency Economic Powers' act and the ‘Trading with the Enemy Act'. The statement from OFAC lists countries such as Syria, Cuba, Iran and North Korea as falling under this umbrella.
Should a US company pay a ransomware fine in this manner, according to the OFAC, they would then be in breach of regulations and could be landed with another fine. The advice, instead, is to contact the Office of Cybersecurity and Critical Infrastructure Protection.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response may risk violating OFAC regulations.” – OFAC statement
How to Avoid Ransomware Attacks
As mentioned, ransomware attacks tend to favor companies and institutions, but that doesn't mean the individual is off the hook – in reality, anyone can fall victim to an attack, and hackers don't really care where their money comes from.
Ensuring that security precautions are robust and up to date is key, just as it would be for any form of malware. The best prevention is precaution. Enlisting the use of anti-virus software, for example, is a great first line of defense, whether you're an individual user or a business.
Many companies are also employing the use of VPNs to protect both their employees and themselves, as many staff continue to work from home. While a VPN won't stop a ransomware attack in isolation, paired with other security precautions such as anti-virus software, it does make the user's security a lot more robust.