Search
The devastating impacts that a ransomware incident can have on a company range from minor inconveniences, such as interruption of services, to the potential inability for a business to financially recover, creating an urgency to mitigate the effect of such a breach.
Ransomware is a type of malicious software, also known as malware, designed to encrypt files on a device, rendering them unusable or threatening to publish the victim’s personal data unless a ransom is paid.
This low-risk, high-reward paradigm for threat actors — those partially or fully responsible for the incidents — makes ransomware attacks a highly lucrative business model.
Earnings become increasingly inflated when a business does not have the proper processes to deal with the attack. A maximum ransom may be paid due to lack of backups, absent or inadequate incident response, business continuity plans and other inadequacies.
When its data and operations are being held hostage, nearly 25% of businesses are compelled to pay the ransom, however any extortion payments must follow federal regulations.
In October 2020, the United States Department of Treasury’s Office of Foreign Asset Control (OFAC) released an advisory setting clear guidelines for processing ransom payments.
The advisory states that ransomware payment facilitators — which act on behalf of the compromised entity — should deliberately review and scrutinize the office’s Specially Designated Nationals and Blocked Persons (SDN) List, embargoed countries or other blocked persons.
OFAC designates malicious cyber actors under its cyber-related sanctions program and others, including:
OFAC may impose civil penalties for sanctions violations, even if said person was unaware they were engaging with someone prohibited under the office’s sanction laws and regulations.
The goal for all listed parties supporting the targeted company is to act in good faith, provide notice to the authorities about the incident, and reasonably prove that the threat actor is not on the SDN List. All items that must be reviewed with timely due diligence.
To comply with OFAC, the parties supporting the ransomware engagement — including a breach response firm, data privacy attorney or breach coach, or other assigned investigative personnel — can aid in the assessing from where the specific ransomware variant originated.
This is done by reviewing the ransom note for contact information, the malware variant’s behavior, and reviewing past campaign’s tactics, techniques, and procedures (TTPs) that may correlate to an embargoed group.
The malware and attack pattern can be examined through reverse engineering to see if the binary code can be tied to any known threat groups or entities.
As an additional layer of due diligence, the use of decentralized, largely anonymized crypto market, crypto ledgers and sometimes specifically Bitcoin wallets, can also be checked with a blockchain analysis to find the culprit.
This data will be part of the OFAC check to ensure that no one on the SDN list receives any funds which may conflict with pre-established OFAC guidelines.
Since ransomware payments to such persons or groups could be used to fund attacks or activities that endanger national security or counter foreign policy objectives, they are deemed not only a security risk but an immoral encouragement for continued future attacks.
To mitigate the impact of a ransomware attack or any breach, ECC IT clients are urged to leverage ECC IT Security services to audit security controls, build incident response and business continuity plans, and audit backups to provide layers of redundancy in the response to such assaults.
Taking these proactive steps will greatly reduce the potential risk exposure to a major incident that may result in processing payment to threat actors worldwide.
If you have any questions about the information above, please contact your E. Cohen advisor.
