By now, most everyone knows that ransomware is software that infects your computer system, makes your data irretrievable and usually breaks things along the way. To unlock your system, the bad guys (or girls) demand you pay a ransom, usually via Bitcoin or similar currency. In exchange for your payment, the bad guys promise to provide you the key to unlock your data and promise not release your data on the Internet or auction if off to the highest criminal bidder. Depending on the professionalism (yes, professionalism) of the bad guy, once you’ve made your payment, you may or may not be able to unlock your system, and they may or may not delete your data versus release or auction it.
In the United States, federal law enforcement authorities have long requested that companies not pay ransoms. This used to be for the salutary reason that if no company pays, there would be no market for ransomware. Likewise, there was this annoying problem that paying ransoms under U.S. law is technically illegal. I am not, however, aware of any prosecution of a company that paid a ransom.
Whether companies pay is a complicated calculus combining factors such as firm culture, fiduciary responsibilities, ability to pay, availability of insurance funds, likelihood of data/system recovery, likelihood of release of data, the sensitivity of data, as well as other factors including federal law enforcement’s policy and so on. Notably, given that ransomers have now evolved to monetizing the data itself, failing to pay a ransom will no longer eliminate the ransomware market but instead would serve only to depress the value of the illegal act. That said, we all know from business school that a low fixed cost coupled with a low variable cost should usually yield a high profit margin even if you must attack in volume. And voila, the current ransomware industry!
Enter stage left the Office of Foreign Asset Control (OFAC). OFAC is a division of the United States Department of Treasury, that, according to its website:
[A]dministers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
OFAC has long been involved in anti-money laundering activities and other actions designed to prevent “enemies of the state” from receiving money from U.S. (and other) sources. To support its efforts, OFAC maintains a list of individuals, companies and organizations that do or are believed to play a role in actions against the interests of the United States, such as terrorists, drug traffickers, targeted countries and the like.
OFAC has now announced that it will begin to sanction companies, individuals and intermediaries that pay ransoms to persons or organizations that are on the OFAC lists. OFAC has taken the position that it will sanction such persons even if when paid the recipient is not known to be on the list but is later determined to have been. Consider too that it is well established that ransomware is frequently sponsored by not only organized crime, but also state actors and terrorists.
Further and interesting—in a bad way—is that OFAC is taking the position that banks, attorneys, accountants, negotiators, forensics specialists and the like that aid in such payments may likewise be targeted by OFAC. In other words, pay a bad guy at your own risk as well as that of your counselors. Note too—admitted conspiracy theory here—the federal intelligence community, and perhaps to a lesser extent federal law enforcement, is generally in a better position to know “who” the bad actors are in this arena compared to you or me who simply react to a breach.
There are a few of takeaways from OFAC’s announcement. The first is that OFAC is raising the stakes in data breach cases such that persons and organizations responding to a breach now must face the pressure exerted not only by the criminal him or herself, but also the pressure of directors, stockholders, employees and regulators, with regulators now including OFAC. Additionally, with OFAC’s pronouncement that it will proceed against not only the payer but also the facilitators, there will certainly be a chilling effect in the advice and services such trusted advisors will provide. Few lawyers, bankers and now even insurers will be willing to face penalties for assisting in a payment to a nebulous, unidentified person or organization. Indeed, it is exceedingly likely that insurers will no longer offer as part of coverage to pay ransoms.
Finally, OFAC’s decision pits what may be best for the company and its stakeholders against the broader interests of the United States. Sadly, the federal government has done a pitiful job of leading the defense of middle and small market companies or even “helping” them when they face a breach.