Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Governance & Risk Management , IT Risk Management

Ransomware: Would Banning Ransom Payments Mitigate Threat?

Here's Why Stopping the Extortion Epidemic Isn't Easy
Ransomware: Would Banning Ransom Payments Mitigate Threat?
FinCEN says digital forensics, incident response and cyber insurance companies may have to report convertible virtual currency - CVC - payments to ransomware gangs.

Imagine this dystopian future: With ransom payments to cybercrime gangs outlawed by Western governments, a new breed of mercenary navigates the margins.

See Also: Live Webinar | Compliance and Cyber Resilience: Empowering Teams to Meet Security Standards

These so-called ransomware blade runners negotiate on behalf of organizations hit by network intrusion specialists who have stolen data, left systems encrypted and are threatening to leak the data unless they receive a payoff in monero or another privacy-preserving cryptocurrency. At the same time, they serve as a deniable back channel, helping victims avoid FBI, Treasury and other government investigators on the one hand and, on the other, data-exfiltration snatch artists who are trying to steal or buy the stolen data for their own shakedown purposes.

Even without attempting to channel the hard-boiled science fiction of Philip K. Dick or William Gibson, it's tough to imagine a future in which banning payments to ransomware gangs doesn't make things worse.

Just to be clear: Organizations are getting hit left, right and center by ransomware-wielding attackers who increasingly threaten to leak, auction or otherwise publicize stolen data to up the pressure on victims to pay a ransom (see: Ransomware: Cybercrime Public Enemy No. 1).

Something must be done to stop the ransomware pandemic - but what?

Into this fray comes the U.S. Treasury Department, which on Oct. 1 issued an advisory (PDF) on "potential sanctions risks for facilitating ransomware payments."

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory warns.

The Treasury Department's Office of Foreign Assets Control - OFAC - enforces economic and trade sanctions based on U.S. foreign policy and national security goals. Organizations and individuals on the OFAC sanctions list include certain nations, international narcotics traffickers, individuals involved in the proliferation of weapons of mass destruction and terrorists.

Sanctions Warning

In general, Americans and everyone else in the world are prohibited by U.S. law from directly or indirectly transacting with any individual or organization on the sanctions list. The Treasury Department also urges any organization or ransomware incident response firm that suspects it might be in negotiations with any "criminals and adversaries with a sanctions nexus" to contact the department immediately.

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

While the Treasury's announcement might look like a shot across the bow, legal experts have been warning for years that any organization should consult its attorney before paying a ransom. That's because making a payment could violate various laws - especially if the money ends up in terrorists' hands.

As the Treasury makes clear, its new advisory "is explanatory only and does not have the force of law" or modify any existing laws. It references various now-defunct ransomware operations: Cryptolocker - tied to Russian national Evgeniy Mikhailovich Bogachev; SamSam - tied to two Iranians; WannaCry 2.0 - blamed on North Korea; and Dridex malware - tied to Russia-based cybercrime organization Evil Corp and its leader, Maksim Yakubets, as examples of "malicious cyber actors" on its sanctions list.

Of course, at the time such groups were in operation, they were not on any sanctions list.

FinCEN Alert, G-7 Pledge

Also on Oct. 1, the Treasury's Financial Crimes Enforcement Network released a separate advisory for financial services firms as well as digital forensics and incident response companies and cyber insurance companies.

FinCEN's Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments

The FinCEN advisory (PDF) warns these organizations that if they handle payments to ransom operators, they may be required to register with FinCEN as a money services business and comply with anti-money laundering regulations, including the Bank Secrecy Act and its requirement for filing suspicious activity reports. These reports can be required when financial institutions are used "to facilitate criminal activity," such as handling the proceeds from an extortion attack.

On Tuesday, several nations issued a statement pledging to enhance their efforts "at coordinated responses to ransomware, including where possible information sharing, economic measures, and support for effective implementation" of anti-money laundering and anti-terrorism-financing processes. The G-7 statement on ransomware (PDF) notes that, with gangs predominantly requiring payment in virtual currencies, it's imperative that cryptocurrency exchanges "hold and exchange information about the originators and beneficiaries of virtual asset transfers."

Giving investigators a better ability to "follow the money" could help law enforcement disrupt more ransomware gangs, including their payment conduits (see: Criminals Still Going Crazy for Cryptocurrency).

In the bigger picture, however, it's treating a symptom, not the cause. And the problem of what to do about ransomware remains thorny.

During a presentation earlier this month, Ciaran Martin, who until Aug. 31 served as CEO of the U.K.'s National Cyber Security Center - the public-facing arm of the GCHQ intelligence agency - was asked this question (by a secondary school student with an interest in cybersecurity, no less): Is ransomware the biggest threat we face today, and will that change anytime soon?

"Yes, and no," Martin replied. "Certainly," he said, ransomware "is the biggest obvious problem" at the moment. "And do I see that changing? No, because it's too lucrative and too easy."

'Lively Debate' Over Bans

What can be done? Martin, who was speaking at a virtual event organized by the Scottish Business Resilience Center, which helps coordinate better cybersecurity and resiliency practices across the public and private sectors, says there are two ideas he's particularly keen to explore: "One is trying to get insurance to work properly" and ensuring that victims aren't simply paying out all the time. "And the other is about the law," he said.

Ciaran Martin, professor of practice in the management of public organizations at Oxford University's Blavatnik School of Government, delivers a virtual presentation for the Scottish Business Resilience Center on Oct. 7.

Recently, there's been a "lively debate" about whether the law should be changed to try to better counter ransomware schemes, he said. "I'm not completely convinced that banning ransom payments is the right thing to do, but ... [under] U.K. law, if it's a prescribed terrorist organization campaign you can't pay, but if it's what we used to call in Northern Ireland the 'ordinary decent criminal,' it's fine. That doesn't really make sense."

Likewise, the recent U.S. Treasury warning emphasizes that, if you pay a ransom to a sanctioned individual or organization, then you could face financial or criminal penalties.

"I struggle to work out why it's OK to pay some ransoms but not others. In the U.K.'s case, it's the result of the law being designed to prevent the payment of ransoms to terrorist groups and kidnappings from in the noughties [the decade from 2000 to 2009] ... when there were some horrible incidents in places like Mali and Syria and Iraq and that sort of thing," Martin says.

But government sanctions aren't going to stop ransomware. If need be, desperate organizations might attempt to use attorney-client privilege and intermediaries - aka cut-outs or mercenaries - to pay ransoms in exchange for the promise of a decryption tool, especially if the alternative is to go out of business.

Cybersecurity Community: Call to Arms

In fact, Martin - who's now professor of practice in the management of public organizations at Oxford University's Blavatnik School of Government - says it's not clear that governments will be key to solving the ransomware problem. Rather, better solutions will hopefully come via the cybersecurity community.

"Certainly one of the frustrations of my last year in government was that there was an awful lot of attention on stuff like 5G and so on, and rightly so," he said. "But [fighting] ransomware needs a sustained effort, and that should be a big focus of the cybersecurity community as well, and it doesn't necessarily have to be - or indeed should be - government-led."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.