A patient dies after hackers launch a ransomware attack against a hospital’s computers, delaying her treatment.
This may sound like the plot of a sci-fi thriller, but it really happened last fall at a German hospital — and experts say it’s only a matter of time before ransomware attackers target your business.
More sophisticated and destructive ransomware attacks are on the rise, according to
government regulators and law enforcement officials. The primary targets: Businesses in highly regulated industries such as health care, finance and government contractors, as well as companies whose older computer systems can’t be regularly patched or supported by anti-ransomware software.
Ransomware attackers know businesses have a lot to lose — in productivity and potential fines and penalties — so will feel cornered into paying the ransom. Companies must decide between paying the ransom or facing prolonged business or data loss.
The FBI and U.S. Department of Health and Human Services recommend against paying ransoms. Payment doesn’t guarantee decrypted or returned files, and it may even embolden attackers to launch future assaults.
The Department of Treasury’s Office of Foreign Assets Control, or OFAC, recently warned companies that payments made to ransomware attackers might violate U.S. sanction laws. This includes businesses that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response.
In recent years, the OFAC has used its cyber-related sanctions program to designate numerous bad actors as targets of U.S. enforcement. In addition to these individuals and groups, ransomware payments that require the transferring of funds to embargoed nations or regions of the world, such as Cuba, the Crimea region of Ukraine, Iran, North Korea and Syria, may violate U.S. law.
Businesses that pay these ransoms may face civil penalties that carry a hefty price tag — up to $20 million — even if they don’t know they’re engaging with someone on the blocked list.
While the intent of OFAC’s recent advisory is clear — to limit the flow of funds to sanctioned actors and disincentivize them from engaging in future attacks — the means for implementing the policies is less clear. Identifying ransomware attackers can be challenging, making it difficult for businesses to evaluate their risk of violating sanction regulations. Continued monitoring of enforcement is in order to see what kind of posture the OFAC takes on these issues.
In the meantime, businesses can take steps to guard against ransomware attacks — and it starts with employees.
The individual user continues to be the weakest point of vulnerability for any organization. Most ransomware attacks come cloaked as phishing scams, waiting for an unwary user to click on a malicious link.
Further complicating matters is the move by many organizations to store information on the cloud. When moving data to the cloud, an organization still retains liability for that data in the eyes of the law.
Cultivating a culture of compliance with security policies provides the most effective safeguard against ransomware attacks.
Adam D. Bruski is a senior counsel and Norbert F. Kugele and Nathan W. Steed are partners in the law firm Warner Norcross + Judd LLP. They practice in business and corporate services and cybersecurity and privacy issues. They can be reached at email@example.com, firstname.lastname@example.org and email@example.com