US Treasury: It may be illegal to pay that ransom
Today the US Treasury released two statements, one from the Financial Crimes Enforcement Network (FinCEN) and the other from the Office of Foreign Assets Control (OFAC). The important one for our clients is the OFAC order, specifically this part:
OFAC issued an advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities. OFAC said it has imposed and will continue to impose sanctions on those who “materially assist, sponsor, or provide financial, material, or technological support” for ransomware activities.
In the event that you get ransomed, you or your managed IT/managed service may have liability for making payments. Identified groups include:
A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.
Source: https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/
How much are these fines? Up to $20 million.
What does this mean to your small/mid-sized business?
The real answer is nobody quite knows yet. The general consensus is that if you or your managed services (IT) provider pay ransoms, you could be on the hook with the Treasury department. This could be especially problematic if you are attacked by Maze, an organization that not only encrypts your data but will release your files to the dark web in the event you do not pay.
That being said, if you do find yourself in a ransomware situation, the first call should be to your cyberinsurance provider, and follow their guidance on response and actions. Your IT team should be functioning in a supporting role through this whole process, not leading. Even with an outsourced IT team, they may deal with a couple of breaches per year, the incident response teams are dealing with several per day. They will have a much better understanding of these situations and the liabilities, and can guide you on possible risks and impacts.