Ransomware finds its victims by accident or intentionally and each week, the technology and business model adapt. Some pay the ransom to get back online faster and others don’t. The decision to pay is more complex than it appears and victims, IR firms, insurance companies and Bitcoin payers could be subject to fines and or criminal penalties.
“The increase in ransomware attacks over the last two years has been dramatic,” said Chris Keegan of Beecher Carlson. “Costs of attacks and payments have increased significantly, and the sophistication of the malware has increased substantially.”
- Ransomware claims increased 239% from 2018 to 2019
- Cost of ransomware payments increase 228% from 2018 to 2019
- Average ransomware payments increased 31% from Q2 to Q3 2020
- Ransomware payments in 2019 were 3X 2018 payments
- Extortion demands paid in 2019 were 4X 2018 amounts
- Ransomware incidents where data had been exfiltrated increased from 8.77% to 22% from Q1 to Q2 2020
Those data indicate widespread losses and begs the question, can this approach continue? If you are one of the companies that suffered a loss, it can be devastating. Keegan added that “cyber insurance payouts have increased significantly as a result of these developments and the markets are reacting by increasing premiums and seeking to provide tools to help insureds better identify and correct vulnerabilities. In addition, insurers are focusing on more careful selection of their policyholders.”
You Don’t Always Get What You Pay For
Attackers have become very sophisticated at pressuring victims to pay, but for enterprises, it’s not as simple as that.
Take the Blackbaud breach in May of this year. They reported “cybercriminals were able to remove a copy of a subset of data from Blackbaud’s self-hosted environment.” Blackbaud hired a third party firm to negotiate with the hackers, “we only paid the ransom when we received credible confirmation that the data was destroyed.”
Blackbaud is a “U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software.” In July they gave notice to their clients that while they suffered a breach, no sensitive customer data was involved. In September, Blackbaud filed its Form 8-K SEC filing to reflect “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”
Large cloud providers pose enormous risks to their downstream clients. Northshore University Health System had 348,000 patients lose PHI as a result of the Blackbaud incident. There are currently 23 class action lawsuits against Blackbaud and another 160 claims coming from USA, UK and Canada. They reported “breach related expenses of $3.6 million through September, with $2.9 mil in accrued insurance recoveries.”
It’s important to keep in mind that Blackbaud is a victim. Unfortunately, given the connected nature of their business model, offering services to non-profits, there is a shared responsibility for data that is ongoing. We place a higher burden on larger, publicly traded entities and expect them to embrace stewardship of our data better than we can ourselves.
Garden variety ransomware will encrypt data and seek a ransom payment in Bitcoin to “unlock” the files. In the above example, data was exfiltrated with a promise to destroy upon payment. The US Treasury and FBI have a policy against paying a ransom because it “not only encourages future ransomware payment demands but also may risk violating OFAC regulations….and threaten national security interests.”
Paying a Ransom Requires Resources…and Skill
As Blackbaud noted, they hired an independent forensic firm to negotiate on their behalf. And based on their disclosure, insurance reimbursed them for a percentage of that expense. On Oct 1, 2020, the Treasury Office of Foreign Asset Control (OFAC), issued an advisory cautioning companies against making ransom payments. But paying ransoms without violating the law requires a skilled team.
“Most payments where insurance companies are involved are made through specialist ransomware negotiation and incident response (“IR”) companies with experts in negotiations with threat actors”, says Keegan. “The Bitcoin wallets of these companies are usually the source of the payment – though a small number of cyber insurance companies have their own in-house experts and wallets. If the payments are small enough, they can be made on credit usually backed by the guarantee of the insurance company or the insured. As the IR firm that has the best knowledge of the threat actors, the insurance companies rely heavily on their expertise and on the investigation done by them for confirmation that they are in compliance with OFAC, FinCEN and any other payment regulations. The SLA agreements with the IR companies will often stipulate that it is their responsibility. Insurers will also be looking to breach counsel and their insured for confirmation.”
Blackbaud paid the ransom to protect its client data. Certainly, not having proper security in place or back ups is negligent in today’s world. But when hospitals are reduced to “paper operations” and cannot determine critical patient data or perform services as happened to the Universal Health Services 400 facilities, what is the greater harm? How did Blackbaud know that they were not diverting funds to a sanctioned person which could trigger a fine against Blackbaud, their IR firm or even the banks/exchanges facilitating the transfer into Bitcoin?
James Arnold of KPMG LLP shared a couple of interesting scenarios around attribution and the OFAC advisory. “How can the DFIR know for certain that a particular actor is responsible? And if the DFIR must represent that an SDN wasn’t involved, how can the Treasury prove us wrong? In October 2020, we began assisting a large multinational company who was suffering from a Wastedlocker attack. Following the release of OFAC’s October 1, 2020 Advisory, this company was advised by legal counsel that they could not deal with the hacker and as a result is experiencing significant business interruption and financial loss, to the point of possible bankruptcy.”
“This cannot be what OFAC intended,” Arnold added. “One radical suggestion might be to pass a law that says starting in January 2023, no US based companies will be allowed to pay any ransom related to a cyber-attack. This would force companies to begin enhancing their cyber security to address the most common control weaknesses that allow ransomware attacks to succeed like the lack of proper back-ups and failure to deploy MFA. NIST CF was phased in over several years and we now have better risk based controls and this would be a similar approach.”
Luke Emrich of RSM US LLP commented that his firm doesn’t make, get involved in, or facilitate any payment of ransom demands as part of an engagement. “No organization is ever the same after experiencing a ransomware event. We hope every ransomware victim has the ability to recover and rebuild in a way that leaves them stronger and more resilient to future attacks. The potential for OFAC sanctions may create a situation where a ransomware victim suffers a catastrophic loss, ultimately forcing them to close their doors due to damage and loss of systems, information and data required to run their business.”
“The struggle is when a business is faced with what is almost a life or death decision. Needing to pay to get their data back vs government penalties they will face from OFAC if they want to survive – they are going to pay 100% of the time – so the OFAC proclamation is ultimately meaningless. The penalty is an added cost of survival and the victim is just being taxed for being a victim,” said Keith Strassberg of Cybersafe Solutions, LLC.
OFAC Rules in Practice
David Tannenbaum, a former Treasury official, now of Blackstone Compliance Services LLC, notes “…this advisory is a reminder to the business community that OFAC regulations prohibit ransom payments to sanctioned persons. These prohibitions have always been in place, but OFAC typically issues advisories such as these when they see an uptick in risks or a prominent case and feel the need to raise awareness.”
The Treasury Dept. gets its authority to sanction individuals from EO 13694, and it can designate persons (individuals or an entity) who conduct certain cyber attacks. It’s confusing because they start with the malware families that are most damaging (Dridex, Wannacry, SamSam, Cryptolocker) and then attach persons (Evil Corp, etc.) to that malware once they have sufficient attribution. Arent Fox points out that there is a ‘Dridex Gang’ alias on the SDN list which is related to Dridex but is not the malware family. It’s well known that malware is shared by hackers and a Wastedlocker attack could be launched by someone other than the person designated.
This all means that a ransomware victim needs to know what the malware is and if they plan on paying the ransom, is there a SDN behind the attack? The other parties involved include the DFIR, the Insurance carrier and the payer, all of which could be held responsible. OFAC states that victims that involve law enforcement and document their actions to avoid interaction with SDN’s, is “a key mitigating measure to any sanctions enforcement case.”
“Attribution and enforcement of the OFAC and FinCEN rules may become more difficult due to moves away from Bitcoin to other crypto currencies which provide greater anonymity,” offered Keegan. “Further, tactics techniques and procedures (TTPs) which are typically used for attribution are becoming increasingly shared with the rise of Ransomware as a Service. Ransomware criminals are eager not to put up any roadblocks to payment and go through great lengths to preserve their anonymity using frequently rotated burner cryptocurrency wallets. To date, we have not seen companies in the insurance industry, or their vendors, seek to get a license from the Treasury for an exception to OFAC rules for payment of ransomware.”
“Attribution has been a tough aspect during these matters. We all know definitive attribution is very difficult but even speculation of an OFAC-listed entity may preclude the facilitation of payments. This is where we need clarity and improvement, said Anthony Dagostino of Lockton Companies.
Jeremy Murtishaw of DFIR firm Fortify24x7 says, “understanding the ‘who’, an individual or an APT group, is a difficult task. It requires the incident response team to really understand the source of the malware being used to distribute the ransomware, so informing OFAC and the FBI is required in advance of making the payment.”
Chris Prewitt of MCPC also noted the challenges DFIR firms face. “Attribution is incredibly difficult, and while OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program, quite often the victim organization has no idea who the criminal is or where they are located. How are they going to be certain of this? It seems like this is a poor attempt at slowing down ransom payments.”
Tannenbaum recommends that “DFIRs setup policies and procedures that outline key steps which it would take in each case to determine if there is a sanctions nexus. This process should be documented (such as to produce a checklist) to evidence the due diligence, which the other parties involved can reference when doing their own assessment.”
“At a high level, some of these controls may be:
❖ Using threat intelligence tools to determine if any of the evidence left behind (e.g. malware, ransom note, name of attacker, etc.) have been previously tied to a sanctioned party;
❖ Examining the cryptocurrency address to determine, through address clustering or other methods, whether the address provides any clues to the attacker’s provenance; and
❖ Examining the malware to determine if it is the same or similar to other malware attacks by sanctioned actors.”
If the DFIR conducts this analysis, it can categorize the attack as having: a SDN nexus; no SDN nexus or not certain…a gray area. The third category will enable the victim to make a risk based decision and pay the ransom, not knowing if it could later be determined it had a nexus with a SDN.
There is another option and that includes getting a license from Treasury to pay the fine, even though it is a SDN behind the malware. However, Tannebaum cautions, “OFAC can issue a license to pay a ransom but stated in their advisory that they presume they will deny a license request…attacks which endanger the life and safety of individuals may be more likely to receive a license than ones which just disrupt commercial operations.”
Keegan noted that “a review of the OFAC and FinCEN fine lists over the last few years do not show any fines due to ransomware payments.”
Insurance Risk Transfer
Buying cyber insurance can offset losses and, in many cases, prevent losses if proactive services offered by the carrier are properly utilized. But if there is a ransom event, IR firms that have earned a slot on the insurance panels have the best shot at recovering data and successfully negotiating Bitcoin transfer. But can the cyber insurance market continue to support ransomware fines when they appear to be out of control?
“Most cyber insurance policies do not have specific exclusions for payment of ransomware which might be subject to OFAC and FinCEN restrictions but incorporate provisions which freeze the effect of the policy and make it subject to OFAC oversight in the event an entity or person claiming the benefits of the policy has violated any sanctions law,” said Keegan. “Insurance companies have indicated that they will be reluctant to act if that action is illegal, could affect their licensing or subject them to fines and penalties. However, our experience is that cyber insurance companies are honoring their contractual obligations and paying claims except for a very few cases where there is very clear evidence of payment to a banned entity. In those cases, the insureds, banks and IR firms are all under the same restrictions.”
That view is shared by other insurance brokers. “Insurance policies are written to respond to threats and losses suffered by the insured. You won’t see policies addressing ‘who is the origin of the bad actor’. If the insured organization suffers a covered loss, the insurers intend to cover it. There can be limitations in the form that could come into play such as a war or terrorism exclusion as well as an OFAC endorsement,” said David Lewison of AMWins Insurance.
“To date, the insurance market has not limited coverage for cyber-attacks but there have been adjustments in premium to cover the increased losses,” offered Keegan. How big are the price increases to keep your cyber insurance coverage or to add new coverage? “Insurance carrier increases of zero to five percent rate in the second quarter 2020, gave way to five to fifteen percent increases in the third quarter which were raised again to ten to thirty percent in the fourth quarter.. Not all increases are in this range, but cyber insurance buyers should be prepared for requests at these levels. Some adjustments to the structure of programs, such as raising retentions, can be made to limit the increased costs and carriers are amenable to these discussions.”
But all coverage may be out the window if it involves a sanctioned entity involved with a ransomware payment. “The OFAC endorsements can become an issue if a ransom demand emanates from a country on the OFAC list. If the insurer is legally barred from sending funds to a listed country, there will be a problem paying off a ransom to recover systems or data. In this instance I would not expect all coverage to be taken away, just the ransom payment. There are other parts of the policy that would still respond to pay expenses associated with business interruption, forensics, data recovery, the potential for hardware replacement coverage depending on the policy form, legal fees and more,” Lewison added.
“Insureds typically understand OFAC restrictions in general but more education and advice is needed in the area of ransomware and how coverage responds. We’re also concerned with insurers that hold up covered expenses associated with the ransom. While prohibiting the actual demand payment is understandable if deemed to be the act of an SDN, holding up the business interruption loss or other IR costs is problematic,” added Dagostino.
“Ransomware has driven so many losses for the cyber insurance market, we’re seeing much more scrutiny of company’s controls for ransomware in the underwriting process before an event occurs. I think it’s likely we’ll see similar increases in scrutiny of the payments after an event as well,” said Dan Burke of Woodruff Sawyer.
Keegan shares a positive view on the OFAC advisory. “To date, the insurance market has seen only a small minority of situations where payments have been held up because of an indication that the payments might be being made to OFAC and FinCEN restricted entities. First, there are only a handful of known threat actor groups or individuals listed on the known Specially Designated Nationals (“SDN”) lists in addition to a short list of sanctioned nation states (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Further, there are very few instances where attribution can be made with a degree of certainty. Many businesses will not be able to get enough information on attribution before a decision is made on payment and so will be taking a risk in order to get their businesses operating.”
“Over the past few years insurance has created a database of bad actors…. which ones will provide functional decryption keys, which [hackers] may return looking for additional ransom and which ones may negotiate on the ransom amounts. We would hate to hear that someone paid a ransom and did not get their data back or have it corrupted beyond recovery. Having that institutional knowledge is another advantage of buying cyber insurance rather than tackling the problem alone,” said Lewison.
Ransomware victims need to be aware of the potential consequences of paying extortion. “Civil penalties per violation can be up to $307,922 or twice the value of the payment at issue (whichever is higher); and criminal penalties for knowing violations can be up to $1,000,000 and 20 years in prison.”
The decision to pay needs to come from senior management as they could suffer reputation damage in addition to the above penalties.
Every major standards body for cyber safety has set forth best practice for avoiding ransomware attacks. A good security stack on the endpoint is needed along with back ups and a plan to respond when hit. But most companies haven’t factored paying extortion into their risk analysis and where should this task fall?
“It is important for each actor to consider the sanctions risks from where they sit in the transactional chain,” offers Tannenbaum. “OFAC regulations prohibit both the payment and any actions which facilitate the payment such as insurance and advice. Each type of entity should consider whether they have a sanctions compliance program, and policies and procedures to address their relevant sanctions risks.”
Insurance companies have been investing heavily in proactive risk mitigation to avoid this mess altogether. “We recommend that companies should have proper business continuity and disaster recovery plans in place and regularly tested so that payment of ransomware is not the organization’s only choice,” said Keegan. “Backups of critical systems should be segmented and stored offline. Companies should have a well-documented and ransomware specific incident response plan to allow clear and efficient decision-making to weigh legal risks against the risks to the business”.
Ransomware is hitting all major companies daily and because they have proper controls and back ups in place, we don’t read about them. Prepare…and stay out of the news!