The US Department of Treasury's Office of Foreign Assets Control (OFAC) stated the following on October 1, 2020:
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
Talk about insult to injury! We've interacted with prospective clients "mid-ransom" and have read online about the countless ransomware infections that have ground unprepared businesses to a halt.
Until now, the options were either A) Be prepared by using an evolving stack of security and backup precautions or B) Become a victim and pay the ransom so that your business can continue to operate. Insurance companies have created departments, and ransom negotiation firms have popped up over the years because thousands of businesses choose B.
As of October 1st, 2020, insurance companies, ransom negotiation firms, and ransomware victims have been put on notice by the US Government - paying that ransom is likely illegal.
Why? You're funding and enabling criminal activity. Ransomware's exploding popularity for criminals is linked to how successful it's been at making money. Making paying the ransom officially illegal and fining victims who pay is an unfortunate but necessary first step toward curbing this behavior.
PK Tech's Take:
We've interacted with prospective businesses where the choices were literally to pay the ransom, or close up shop. We advise that victims talk to their insurance companies ASAP for what to do next. It's a complicated situation, and there is an ethical and moral dilemma with paying the ransom. Consider every possible solution that involves not giving criminals what they want.
Unfortunately, if you're staring at a ransom note and paying is your only choice to survive, you're now dealing with a set of problems.
- Why wasn't the security of your company more important to you before today? If you survive this, you have a large IT expenditure coming up.
- What are you going to do if you pay and don't unlock the data?
- How do you know the criminals aren't going to leak your sensitive data, and it comes back on you?
- How are you going to rebuild your reputation if this gets out?
Before you're staring at a ransom note, our advice is to protect yourself by working with a competent IT Company that implements an evolving set of security and backup solutions.
If you or your business is being asked to pay for a ransom, contact your insurance company ASAP. They'll ask you to contact an IT Company to assist with the technical remediations. Or, if you want to talk to an IT Company about proactively implementing a comprehensive set of security solutions, please reach out here to get in touch with us.