Ransomware: Would Banning Ransom Payments Mitigate Threat?Here's Why Stopping the Extortion Epidemic Isn't Easy
Imagine this dystopian future: With ransom payments to cybercrime gangs outlawed by Western governments, a new breed of mercenary navigates the margins.
These so-called ransomware blade runners negotiate on behalf of organizations hit by network intrusion specialists who have stolen data, left systems encrypted and are threatening to leak the data unless they receive a payoff in monero or another privacy-preserving cryptocurrency. At the same time, they serve as a deniable back channel, helping victims avoid FBI, Treasury and other government investigators on the one hand and, on the other, data-exfiltration snatch artists who are trying to steal or buy the stolen data for their own shakedown purposes.
"I struggle to work out why it's OK to pay some ransoms but not others."
Even without attempting to channel the hard-boiled science fiction of Philip K. Dick or William Gibson, it's tough to imagine a future in which banning payments to ransomware gangs doesn't make things worse.
Just to be clear: Organizations are getting hit left, right and center by ransomware-wielding attackers who increasingly threaten to leak, auction or otherwise publicize stolen data to up the pressure on victims to pay a ransom (see: Ransomware: Cybercrime Public Enemy No. 1).
Something must be done to stop the ransomware pandemic - but what?
"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory warns.
The Treasury Department's Office of Foreign Assets Control - OFAC - enforces economic and trade sanctions based on U.S. foreign policy and national security goals. Organizations and individuals on the OFAC sanctions list include certain nations, international narcotics traffickers, individuals involved in the proliferation of weapons of mass destruction and terrorists.
In general, Americans and everyone else in the world are prohibited by U.S. law from directly or indirectly transacting with any individual or organization on the sanctions list. The Treasury Department also urges any organization or ransomware incident response firm that suspects it might be in negotiations with any "criminals and adversaries with a sanctions nexus" to contact the department immediately.
While the Treasury's announcement might look like a shot across the bow, legal experts have been warning for years that any organization should consult its attorney before paying a ransom. That's because making a payment could violate various laws - especially if the money ends up in terrorists' hands.
As the Treasury makes clear, its new advisory "is explanatory only and does not have the force of law" or modify any existing laws. It references various now-defunct ransomware operations: Cryptolocker - tied to Russian national Evgeniy Mikhailovich Bogachev; SamSam - tied to two Iranians; WannaCry 2.0 - blamed on North Korea; and Dridex malware - tied to Russia-based cybercrime organization Evil Corp and its leader, Maksim Yakubets, as examples of "malicious cyber actors" on its sanctions list.
Of course, at the time such groups were in operation, they were not on any sanctions list.
FinCEN Alert, G-7 Pledge
Also on Oct. 1, the Treasury's Financial Crimes Enforcement Network released a separate advisory for financial services firms as well as digital forensics and incident response companies and cyber insurance companies.
The FinCEN advisory (PDF) warns these organizations that if they handle payments to ransom operators, they may be required to register with FinCEN as a money services business and comply with anti-money laundering regulations, including the Bank Secrecy Act and its requirement for filing suspicious activity reports. These reports can be required when financial institutions are used "to facilitate criminal activity," such as handling the proceeds from an extortion attack.
On Tuesday, several nations issued a statement pledging to enhance their efforts "at coordinated responses to ransomware, including where possible information sharing, economic measures, and support for effective implementation" of anti-money laundering and anti-terrorism-financing processes. The G-7 statement on ransomware (PDF) notes that, with gangs predominantly requiring payment in virtual currencies, it's imperative that cryptocurrency exchanges "hold and exchange information about the originators and beneficiaries of virtual asset transfers."
Giving investigators a better ability to "follow the money" could help law enforcement disrupt more ransomware gangs, including their payment conduits (see: Criminals Still Going Crazy for Cryptocurrency).
In the bigger picture, however, it's treating a symptom, not the cause. And the problem of what to do about ransomware remains thorny.
During a presentation earlier this month, Ciaran Martin, who until Aug. 31 served as CEO of the U.K.'s National Cyber Security Center - the public-facing arm of the GCHQ intelligence agency - was asked this question (by a secondary school student with an interest in cybersecurity, no less): Is ransomware the biggest threat we face today, and will that change anytime soon?
"Yes, and no," Martin replied. "Certainly," he said, ransomware "is the biggest obvious problem" at the moment. "And do I see that changing? No, because it's too lucrative and too easy."
'Lively Debate' Over Bans
What can be done? Martin, who was speaking at a virtual event organized by the Scottish Business Resilience Center, which helps coordinate better cybersecurity and resiliency practices across the public and private sectors, says there are two ideas he's particularly keen to explore: "One is trying to get insurance to work properly" and ensuring that victims aren't simply paying out all the time. "And the other is about the law," he said.
Recently, there's been a "lively debate" about whether the law should be changed to try to better counter ransomware schemes, he said. "I'm not completely convinced that banning ransom payments is the right thing to do, but ... [under] U.K. law, if it's a prescribed terrorist organization campaign you can't pay, but if it's what we used to call in Northern Ireland the 'ordinary decent criminal,' it's fine. That doesn't really make sense."
Likewise, the recent U.S. Treasury warning emphasizes that, if you pay a ransom to a sanctioned individual or organization, then you could face financial or criminal penalties.
"I struggle to work out why it's OK to pay some ransoms but not others. In the U.K.'s case, it's the result of the law being designed to prevent the payment of ransoms to terrorist groups and kidnappings from in the noughties [the decade from 2000 to 2009] ... when there were some horrible incidents in places like Mali and Syria and Iraq and that sort of thing," Martin says.
But government sanctions aren't going to stop ransomware. If need be, desperate organizations might attempt to use attorney-client privilege and intermediaries - aka cut-outs or mercenaries - to pay ransoms in exchange for the promise of a decryption tool, especially if the alternative is to go out of business.
Cybersecurity Community: Call to Arms
In fact, Martin - who's now professor of practice in the management of public organizations at Oxford University's Blavatnik School of Government - says it's not clear that governments will be key to solving the ransomware problem. Rather, better solutions will hopefully come via the cybersecurity community.
"Certainly one of the frustrations of my last year in government was that there was an awful lot of attention on stuff like 5G and so on, and rightly so," he said. "But [fighting] ransomware needs a sustained effort, and that should be a big focus of the cybersecurity community as well, and it doesn't necessarily have to be - or indeed should be - government-led."