The devastating impacts that a ransomware incident can have on a company range from minor inconveniences­, such as interruption of services, to the potential inability for a business to financially recover, creating an urgency to mitigate the effect of such a breach.

What is ransomware?

Ransomware is a type of malicious software, also known as malware, designed to encrypt files on a device, rendering them unusable or threatening to publish the victim’s personal data unless a ransom is paid.
This low-risk, high-reward paradigm for threat actors — those partially or fully responsible for the incidents — makes ransomware attacks a highly lucrative business model.

Why is ransomware dangerous?

Earnings become increasingly inflated when a business does not have the proper processes to deal with the attack. A maximum ransom may be paid due to lack of backups, absent or inadequate incident response, business continuity plans and other inadequacies.

When its data and operations are being held hostage, nearly 25% of businesses are compelled to pay the ransom, however any extortion payments must follow federal regulations.

What are the laws?

In October 2020, the United States Department of Treasury’s Office of Foreign Asset Control (OFAC) released an advisory setting clear guidelines for processing ransom payments.

The advisory states that ransomware payment facilitators — which act on behalf of the compromised entity — should deliberately review and scrutinize the office’s Specially Designated Nationals and Blocked Persons (SDN) List, embargoed countries or other blocked persons.

OFAC designates malicious cyber actors under its cyber-related sanctions program and others, including:

  • The developers of Cryptolocker, which infected more than 234,000 computers worldwide in 2013 and 2014.
  • The use of Monero for financial transactions between parties, which has been sanctioned due to the heightened privacy features it affords users. Monero obscures transactions, source and destination to achieve anonymity and fungibility.
  • North Korea’s Lazarus Group and subgroups Bluenoroff and Andariel, associated with the 2017 WannaCry attacks, where approximately 300,000 computers in at least 150 countries were impacted.
  • Russian-based cybercriminal organization Evil Corp and its leader for developing Dridex malware, which infected computers and harvested login credentials from hundreds of banks and financial institutions, ultimately taking upwards of $100 million.

OFAC may impose civil penalties for sanctions violations, even if said person was unaware they were engaging with someone prohibited under the office’s sanction laws and regulations.

The goal for all listed parties supporting the targeted company is to act in good faith, provide notice to the authorities about the incident, and reasonably prove that the threat actor is not on the SDN List. All items that must be reviewed with timely due diligence.

To comply with OFAC, the parties supporting the ransomware engagement — including a breach response firm, data privacy attorney or breach coach, or other assigned investigative personnel — can aid in the assessing from where the specific ransomware variant originated.

This is done by reviewing the ransom note for contact information, the malware variant’s behavior, and reviewing past campaign’s tactics, techniques, and procedures (TTPs) that may correlate to an embargoed group.

The malware and attack pattern can be examined through reverse engineering to see if the binary code can be tied to any known threat groups or entities.

As an additional layer of due diligence, the use of decentralized, largely anonymized crypto market, crypto ledgers and sometimes specifically Bitcoin wallets, can also be checked with a blockchain analysis to find the culprit.

This data will be part of the OFAC check to ensure that no one on the SDN list receives any funds which may conflict with pre-established OFAC guidelines.

What can you do?

Since ransomware payments to such persons or groups could be used to fund attacks or activities that endanger national security or counter foreign policy objectives, they are deemed not only a security risk but an immoral encouragement for continued future attacks.

To mitigate the impact of a ransomware attack or any breach, ECC IT clients are urged to leverage ECC IT Security services to audit security controls, build incident response and business continuity plans, and audit backups to provide layers of redundancy in the response to such assaults.

Taking these proactive steps will greatly reduce the potential risk exposure to a major incident that may result in processing payment to threat actors worldwide.