The devastating impacts that a ransomware incident can have on a company range from minor inconveniences, such as interruption of services, to the potential inability for a business to financially recover, creating an urgency to mitigate the effect of such a breach.
Ransomware is a type of malicious software, also known as malware, designed to encrypt files on a device, rendering them unusable or threatening to publish the victim’s personal data unless a ransom is paid.
This low-risk, high-reward paradigm for threat actors — those partially or fully responsible for the incidents — makes ransomware attacks a highly lucrative business model.
Earnings become increasingly inflated when a business does not have the proper processes to deal with the attack. A maximum ransom may be paid due to lack of backups, absent or inadequate incident response, business continuity plans and other inadequacies.
When its data and operations are being held hostage, nearly 25% of businesses are compelled to pay the ransom, however any extortion payments must follow federal regulations.
In October 2020, the United States Department of Treasury’s Office of Foreign Asset Control (OFAC) released an advisory setting clear guidelines for processing ransom payments.
The advisory states that ransomware payment facilitators — which act on behalf of the compromised entity — should deliberately review and scrutinize the office’s Specially Designated Nationals and Blocked Persons (SDN) List, embargoed countries or other blocked persons.
OFAC designates malicious cyber actors under its cyber-related sanctions program and others, including:
OFAC may impose civil penalties for sanctions violations, even if said person was unaware they were engaging with someone prohibited under the office’s sanction laws and regulations.
The goal for all listed parties supporting the targeted company is to act in good faith, provide notice to the authorities about the incident, and reasonably prove that the threat actor is not on the SDN List. All items that must be reviewed with timely due diligence.
To comply with OFAC, the parties supporting the ransomware engagement — including a breach response firm, data privacy attorney or breach coach, or other assigned investigative personnel — can aid in the assessing from where the specific ransomware variant originated.
This is done by reviewing the ransom note for contact information, the malware variant’s behavior, and reviewing past campaign’s tactics, techniques, and procedures (TTPs) that may correlate to an embargoed group.
The malware and attack pattern can be examined through reverse engineering to see if the binary code can be tied to any known threat groups or entities.
As an additional layer of due diligence, the use of decentralized, largely anonymized crypto market, crypto ledgers and sometimes specifically Bitcoin wallets, can also be checked with a blockchain analysis to find the culprit.
This data will be part of the OFAC check to ensure that no one on the SDN list receives any funds which may conflict with pre-established OFAC guidelines.
Since ransomware payments to such persons or groups could be used to fund attacks or activities that endanger national security or counter foreign policy objectives, they are deemed not only a security risk but an immoral encouragement for continued future attacks.
To mitigate the impact of a ransomware attack or any breach, ECC IT clients are urged to leverage ECC IT Security services to audit security controls, build incident response and business continuity plans, and audit backups to provide layers of redundancy in the response to such assaults.
Taking these proactive steps will greatly reduce the potential risk exposure to a major incident that may result in processing payment to threat actors worldwide.
If you have any questions about the information above, please contact your E. Cohen advisor.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category . |
cookielawinfo-checkbox-functional | 1 year | The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category . |
cookielawinfo-checkbox-others | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others". |
cookielawinfo-checkbox-performance | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance". |
ep201 | 30 minutes | This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse. |
PHPSESSID | session | This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed. |
viewed_cookie_policy | 1 year | The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_4JQW09H0BS | 2 years | This cookie is installed by Google Analytics. |
_gat_gtag_UA_539141_3 | 1 minute | Set by Google to distinguish users. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
Cookie | Duration | Description |
---|---|---|
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |