The debate over whether or not to pay the ransomware demand has gone on for a while now. The FBI has long urged businesses to refuse all demands for a ransom payment. And while most businesses aren’t exactly excited to shell out a ton of money to criminals, if their backups are corrupted or they are facing extended downtime, paying the ransom may start to feel like the only option. Adding to the debate, last week the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released updated ransomware guidelines, reinforcing the FBI’s stance and possibly opening the door to imposing fines on organizations that pay up.
In the updated guidelines, the OFAC states that the U.S. government “strongly discourages businesses from paying ransom demands, arguing these payments may help fund future attacks against the U.S. The OFAC also makes the point that paying the ransom in no way guarantees you will ever see your data again or that the attackers didn’t make a copy of your sensitive information to use against you later.
However, the OFAC is doing more than strongly discouraging payments, they may also start imposing civil fines on those who do pay. “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SND list).” And just last month the OFAC added SUEX, a cryptocurrency exchange service, to that list. According to OFAC, over 40% of transactions on SUEX are more illegal purposes, include ransomware payments.
These new guidelines, therefore, give the U.S. government to fine businesses who decide to pay the ransom. However, Treasury Department is careful to clarify that other, preventative measures businesses take against ransomware may save businesses from dealing with public civil fines. Such mitigating measures include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.
Incident response plans are essential for mitigating the effect of any form of cyber attack. A good plan involves not only having a detailed roadmap for how to respond to various cyber attacks but also includes bringing in a team of employees how are responsible for carrying out different parts of the plan, running test scenarios with that team, then making any necessary adjustments from what didn’t work during the tests. When it comes to incident response, a quick, competent, and efficient response is essential to mitigating risk and limiting damage.
Backups are also critical for dealing with a ransomware attack, potentially allowing you to get your data back without ever having to deal with the attackers. And because these backups are so important, it’s essential to be smart about how you do it. First, use the 3-2-1 approach to backups. You want to have 3 backups on hand so you have multiple options in case one gets corrupted. 2 backups should be kept on-site for easy access, but 1 should be stored off-site and offline, to ensure the attackers can’t get a hold of that too. And because ransomware attackers often steal administrative credentials, you should use separate passwords for your backups.