The FBI has said for years that paying a ransomware ransom was a bad idea. It encourages the bad guys and funds their bad guy activities.
But last week the decision became harder when the Treasury department said that they were going to add ransomware organizations that are connected to terrorist organizations to the list of companies that Americans are not allowed to do business with, called the Specially Designated Nationals or SDN. This list is managed by OFAC, the Office of Foreign Assets Control.
By doing this, it makes paying ransom to these organizations a federal crime, punishable by up to 20 years in jail and/or a $1 million fine or civil penalties of up to $55,000.
The penalties can be levied against companies trying to get their systems back, law firms, insurance companies, banks, security service providers or anyone else who is in the food chain between the hackers and the victims.
While most people understand that paying ransom is not a good idea, if the choice is between paying the ransom or watching your firm close, many companies hold their noses and pay the ransom. A recent survey of 5,000 IT pros found that 26% did pay a ransom; virtually all of them got their data back. Company execs have to keep its customers, employees, investors and the general public. Not an easy call to make.
One of the challenges if you do plan to pay the ransom and do not want to spend the next 20 years as a guest of Uncle Sam (which is unlikely, but possible), is how do you figure out whether the particular hacker that you are paying is on the Specially Designated Nationals list. After all, they don’t exactly give you their Social Security Number to look up.
Another challenge that executives face is ransomware 2.0 – the version of ransomware where the hackers steal your data and threaten to publish or sell your information if you don’t pay the ransom. There is no good defense against this form of ransomware.
Most insurance policies have a clause that says that they will not facilitate a crime, so if it is determined that paying the ransom may be a crime, most insurance companies will decline to do that.
However, that doesn’t get the insurance company off the hook – they still need to make you whole, even if doing so if more expensive for them.
Now would be a good time to talk to your insurance provider and ask them how they plan to handle this situation. In the case of OFAC, even if you break the law unintentionally, you are still guilty. The burden of proof is on you.
The feds would like you to share the information about ransoms that you paid, but for many companies, the main purpose of paying the ransom is to keep things quiet. Even if doing so is illegal, which most of the time, it is (illegal). Telling the FBI that you paid a ransom and didn’t notify either the authorities or the victims does not seem like a plan that would be viewed favorably by law enforcement.
We are seeing a lot of attacks against healthcare. Forcing hospitals, for example, to shut down or divert ambulances can cause patients to die. In addition, even if the hospital can continue to operate, its operations will always almost cause care to patients to be degraded, even though the hospitals will say everything is fine – because they do not want to be sued. All of this in the time of the worst pandemic in 100 years.
Unfortunately, other than keeping the hackers out, there are no good answers. I recommend working hard to keep the hackers out. Credit: The Record