“We do not negotiate with terrorists or criminals.” This is the default stance of most branches of the United States government, and the Treasury Department is no exception. In fact, the Department has made its position perfectly clear: Not only will they not negotiate or deal with any sanctioned entities, they won’t tolerate any organizations on US soil doing the same. Thus, any businesses that transact with these sanctioned entities will technically be breaking the law and potentially liable to sanctions, including rather steep fines.
This new mandate has some difficult implications for victims of ransomware attacks, whom the OFAC (Office of Foreign Assets Control) specifically called out for potential sanctions violations. Ransomware victims suffer from criminal organizations and hackers infiltrating their systems and installing software that locks away business-critical data. These entities then charge them an eponymous ransom to have this data unlocked.
Because the data is often essential to their business functions, lack of access to it could result in severe financial losses or even business termination and closure. Thus, many of these businesses opt to pay this ransom in the hopes that access will be restored, even if no guarantee exists that the criminal organizations will remain true to their word.
However, this new ruling creates a potential lose-lose situation for these victims: fail to pay the ransom and risk going out of business, or pay it and get slapped with criminal charges and fines. These same sanctions similarly apply to the incident response and payment facilitating companies involved in carrying out these transactions.
The Garmin factor
A high-profile incident involving the GPS technology producer Garmin is believed to have triggered this dropping of the hammer from the Treasury Department. Garmin was targeted for ransomware attack by the blacklisted, rather descriptively-named Russian cybercriminal group Evil Corp. After partnering with an incident response firm, Garmin is reported to have paid the multimillion-dollar ransom Evil Corp had demanded.
Similar attacks are reportedly on the rise, with the number of such attacks in October 2020 numbering over 100, double the known figure for September. As such, the intent of the Department’s new mandate is to stem the tide of this trend, discouraging such attacks by preventing organizations like Evil Corp from profiting off them. Otherwise, such attacks are indeed lucrative: ransoms for smaller companies range in the six figures, while seven and eight-figure demands are known to be presented to larger firms.
What does this mean for the victims?
The question then arises, what are the victims expected to do in these circumstances? The Department has made it clear that plausible deniability is not a permissible excuse. Being unaware that an entity has been sanctioned does not absolve the victim of copping the corresponding penalties if they choose to deal with them. One way that victims can strengthen their case in such an event, however, is reporting the incident to law enforcement as soon as possible. Such an action is interpreted as cooperation and serves as a “significant mitigating factor” in determining penalties.
Instead, victims are expected to verify whether a given entity is on the government’s black list, and given the option of appealing for an exemption. These appeals are reviewed on a case-by-case basis, although the Department has said that a presumption of denial should be the prevailing mindset.
What can I do?
An unfortunate reality is that most of the criminal organizations perpetrating these attacks are based outside the US, making them far less subject to penalties for their lawbreaking activities than their victims. With their hands tied, preventing them from paying their way out of such a problem, and with hopes of external salvation slim, ransomware attack victims are left with precious few options.
This is why it’s more important than ever that organizations protect themselves against such attacks and take all precautions possible so they don’t find themselves in such a situation. They need a robust cybersecurity framework composed of advanced anti-malware software, threat protection, and data backup solutions just to name a few.
Thankfully, we at F1 Solutions are around to help equip your business so that this grim reality never comes to pass. As a leading managed IT services provider in Alabama, we provide businesses with cutting-edge defenses to keep their data out of the hacker’s clutches. Call us now to get started.