Ransomware attacks ran rampant in 2020 – and so did ransom demands.
The choice to pay – or not pay – a ransom demand usually boils down to a business decision. For example, Tillamook County, Oregon paid $300,000 after its IT environment was disabled for two weeks. According to one county commissioner, it would’ve taken one to two years and $1 million to decrypt the system if the ransom went unpaid.
Given the importance of your data, it’s understandable if your initial instinct may be to pay the ransom if you’re ever in a ransomware situation. However, the Office of Foreign Assets Control (OFAC) issued an ransomware advisory that may make this decision more difficult than you’d like.
Let us explain.
The OFAC advisory was created to “alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.”
In other words, you could face civil penalties for paying ransoms to sanctioned entities and individuals. That list includes those on “OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.” Transactions that violate the International Emergency Economic Powers Act (IEEPA) are also prohibited.
If you do pay one of those entities – either directly or indirectly through a cyber insurance firm – OFAC may impose penalties, even if you didn’t know the entity was on the list.
The full text of the OFAC ransomware advisory is available on the Treasury Department’s website.
Yes – so long as the attacker isn’t among the restricted entities on OFAC’s list.
Note that the burden of proof remains with your organization. As a result, the payment could be delayed since you need to first confirm you’re not violating the Treasury Department’s rules. Of course, as the advisory notes, ransom payments fund criminals and adversaries, and can motivate future attacks, not to mention that paying doesn’t guarantee you’ll recover your data.
You can avoid the dilemma of whether to pay entirely by taking the right precautions now.
Make sure you have the proper safeguards in place to prevent ransomware attacks to decrease your chances of falling victim. You should:
But even if you have protections in place to protect your data from hackers, nothing is foolproof. You still need a plan for recovering your data in the event it becomes compromised. Just know: A traditional DR plan isn’t enough.
Traditional DR plans focus on a physical infrastructure compromise. Compromised data recovery is a completely different recovery case with a much higher likelihood – it should be expected to happen! You must plan for both recovery scenarios and the many differences between them.
Recovering compromised data after a successful cyberattack requires a flexible strategy since each data recovery scenario is unique. Your approach will change depending on the data that was compromised, the attack approach, and your company itself. You can prepare for a data compromising cyberattack by:
2020 was a banner year for ransomware attacks. And there’s suspicion that 2021 isn’t going to get much better.
The OFAC ransomware advisory may limit your options in the event of you’re hit with a ransomware attack, so it’s more important than ever to have a data recovery program in place that leverages best practices.
By implementing the right strategies and having a team ready and able to lead your compromised data recovery, you’ll be better prepared to manage and control the situation.