Ransomware attacks ran rampant in 2020 – and so did ransom demands.
The choice to pay – or not pay – a ransom demand usually boils down to a business decision. For example, Tillamook County, Oregon paid $300,000 after its IT environment was disabled for two weeks. According to one county commissioner, it would’voe taken one to two years and $1 million to decrypt the system if the ransom went unpaid.
Given the importance of your data, it’s understandable if your initial instinct may be to pay the ransom if you’re ever in a ransomware situation. However, the Office of Foreign Assets Control (OFAC) issued an ransomware advisory that may make this decision more difficult than you’d like.
Let us explain.
What does the OFAC advisory on ransomware say?
The OFAC advisory was created to “alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.”
In other words, you could face civil penalties for paying ransoms to sanctioned entities and individuals. That list includes those on “OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.” Transactions that violate the International Emergency Economic Powers Act (IEEPA) are also prohibited.
If you do pay one of those entities – either directly or indirectly through a cyber insurance firm – OFAC may impose penalties, even if you didn’t know the entity was on the list.
The full text of the OFAC ransomware advisory is available on the Treasury Department’s website.
Can you still pay the ransom?
Yes – so long as the attacker isn’t among the restricted entities on OFAC’s list.
Note that the burden of proof remains with your organisation. As a result, the payment could be delayed since you need to first confirm you’re not violating the Treasury Department’s rules. Of course, as the advisory notes, ransom payments fund criminals and adversaries, and can motivate future attacks, not to mention that paying doesn’t guarantee you’ll recover your data.
Having a data recovery plan is more critical than ever
You can avoid the dilemma of whether to pay entirely by taking the right precautions now.
Make sure you have the proper safeguards in place to prevent ransomware attacks to decrease your chances of falling victim. You should:
- Keep your backups current and separate
- Segment your network
- Patch and harden your systems
- Add tools to detect known ransomware
- Educate and train your employees on how to spot suspicious emails
But even if you have protections in place to protect your data from hackers, nothing is foolproof. You still need a plan for recovering your data in the event it becomes compromised. Just know: A traditional DR plan isn’t enough.
How to recover compromised data
Traditional DR plans focus on a physical infrastructure compromise. Compromised data recovery is a completely different recovery case with a much higher likelihood – it should be expected to happen! You must plan for both recovery scenarios and the many differences between them.
Recovering compromised data after a successful cyberattack requires a flexible strategy since each data recovery scenario is unique. Your approach will change depending on the data that was compromised, the attack approach, and your company itself. You can prepare for a data compromising cyberattack by:
- Identifying your vital data assets (VDAs), which are the small subsets of data that justifiably require an added level of protection beyond what you are doing for DR purposes.
- Protecting those VDAs through vault technologies such as immutable storage, air-gapped backups, WORM-locked data copies, and mass recovery.
- Expanding your malware detection to those vaults and scanning that data as new malware threats are uncovered.
- Developing formal teams and plans focused on data recovery, which may include participation by external experts from cybersecurity, insurance and legal disciplines.
- Verifying readiness through tabletop discussions and functional data recovery tests.
Stay ready and alert
2020 was a banner year for ransomware attacks. And there’s suspicion that 2021 isn’t going to get much better.
The OFAC ransomware advisory may limit your options in the event of you’re hit with a ransomware attack, so it’s more important than ever to have a data recovery programme in place that leverages best practises.
By implementing the right strategies and having a team ready and able to lead your compromised data recovery, you’ll be better prepared to manage and control the situation.