Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny

There is no shortage of victims when Ransomware appears. And last week, the White House announced sanctions for the first time against a crypto currency broker (SUEX OTC) in Russia. The WSJ reported that SUEX was “helping to launder ransomware payments.” It is expected that the US Treasury will also announce broader sanctions against the use of crypto currency to meet ransom demands.

SUEX has received over $160 million in Bitcoin alone from ransomware, scams and darknet operators according to Chainalysis. This approach targets the funding source and will make it more difficult for hackers to process their illicit payments. SUEX has received “nearly $13 million from ransomware operators Conti, Maze and Ryuk.”

A Sanction Waiting To Happen

This enforcement action was inevitable. The FBI testified at US Senate hearings that over $1 billion in demands were made in 2020 in crypto related ransom payments. It’s not just a USA problem either: many countries are scrambling to cut off the funds that drive these criminal syndicates. Last year, the US Treasury Office of Foreign Assets Control (OFAC), released an Advisory that cautioned companies from paying ransom to Specially Designated Nationals (SDNs), (covered in detail here). This week, they updated their guidance and there are a few strong themes present.

“OFAC is doubling down on the importance of careful diligence in connection with any payment, including a push for cooperation with law enforcement and other agencies” said Luke Dembosky, Partner, Debevoise Plimpton.

Companies are on notice that they must have procedures in place to determine if a payment has a nexus to an SDN or malware group. This can be tricky as attribution is not an exact science.

This is a complex problem to solve because not all companies are prepared for a ransom attack. The Advisory points to the US Treasury Framework for Compliance and CISA Ransomware Guide and says, if you do these things, put backups in place, patch systems regularly, implement Risk Based assessments Technical Controls (EDR) and Incident Response Plans. Then, if you are caught in a ransom SDN situation, you will likely not be fined.

“Biden’s Executive Order is a call to action by federal agencies to do something (anything) about the relentless cyber attacks by nation state actors”, said Justine Phillips, Partner, Sheppard Mullin. “This new guidance will not impact how our team investigates and evaluates ransomware attacks because we will continue using professional ransom surrogates that vet the bitcoin wallets and accounts, to understand whether the account could be associated or controlled by a group on OFAC’s naughty list.”

Sharing Data Can Aid The Fight Against Ransomware

The guidance continues to create incentives for another important initiative: data sharing. Every ransom attack provides valuable data about the code, the crypto wallets, the threat actors…and if you offer up that information “willingly” then that will weigh in your favor. Sharing data is a good thing, and here it is positioned as having an added benefit, since the victim is actively trying to help the FBI. This is a community wide problem that requires a Public-Private solution and this approach is needed.

The ransoms are generally paid by experts who are able to run the required checks on SDNs. I asked David Nides, Principal at KPMG LLP, if this advisory will impact how they address client incidents. “It is good to see the advancement of actions to disrupt payments but more robust advisories will be needed to make a true impact. I do not see the latest advisory changing how we technically respond and investigate incidents.”

Cyber insurance carriers and brokers are also closely tracking these developments. “With this most recent OFAC action, we may see insureds not being able to make extortion payments and/or insurers unable to reimburse extortion payments. This could ultimately lead to larger BI related losses related to ransomware events,” said Jesus Gonzalez, Deputy Global Practice Leader, Intangible Assets, Aon insurance brokerage.

CISA Asks For Tighter Reporting Guidelines

Also this week, the Director for Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly, asked Congress to tighten guidelines for reporting by critical infrastructure companies when a ransom attack occurs.

Director Easterly asked for a 24 hour reporting window because the compressed response times require the ability to share valuable threat data and track crypto wallets in pursuit of the hackers. These data are diluted as time passes. The request for heightened reporting standards would also carry financial penalties for those companies choosing not to report.

Some insurance experts estimate that only 10% – 15% of actual cyber attacks are reported. They just don’t report because it puts a spotlight on them and if they are a public company, it could impact their stock. The SEC guidelines require disclosure to investors about material cybersecurity risks, even if they haven’t experienced a cyber attack. Would these new rules, if put in place, drive the reporting that is necessary? Many companies fear liability from lawsuits if they admit that they had inadequate security controls and processes in place.

6 Reasons Why Ransomware Is Not Going To Be Stopped

Conclusion

There is growing consensus that ransomware payments should be outlawed, but given the state of company backups and preparedness, this isn’t likely in the short term. However, Federal action since the Colonial Pipeline incident shows resolve to strike back against the criminal syndicates. Combined with international coordinated technical responses like that against Emotet, we are seeing a more offensive posture by law enforcement and regulators that is welcomed by corporate victims.

For now, your best bet is to implement and test your IR plan, technical controls and backups. Review your risk planning and tech stack with your cyber insurance broker in advance of policy renewal, to ensure that you comply with the stringent new underwriting guidelines.