Without any doubt, the COVID-19 outbreak has presented enterprises with unprecedented hurdles, resulting in a massive spike in cyberattacks. Victims of ransomware attacks, which might be major or small enterprises, are put in a difficult situation as they try to maintain day-to-day operations while dealing with privacy and confidentiality issues about their compromised data. Aside from the financial strain imposed by the associated ransom demand, firms that enable payments to attackers may be in violation of sanctions legislation.
Kaseya Limited (Kaseya), a Florida-based IT business, was the target of the "largest ransomware assault on history." This assault was claimed by a gang associated with the Russian-based Ransomware Evil, a ransomware-as-a-service business. The attackers gained access to Kaseya's client data and requested a $70 million ransom—the highest ransomware payment demand to record. The significance of this attack—and what indicates an increase in the tactics of these criminal organizations—is that the attack on Kaseya was intended to harm its own systems and the systems of all its customers, using a technique known as ricocheting. Ricocheting is the intrusion of a key player's network in the IT supply chain, most typically observed in cyber-espionage, and subsequently the use of that network to spread malware to their clients' computers.
Recommendations for Mitigation: A Risk-Based Approach to Governance
Given the growing threat of ransomware attacks, it is vital that organizations, especially financial institutions (FIs), adjust existing systems and implement effective protocols to recognize and manage the sanctions risk of supporting a ransomware payment.
A risk-based approach necessitates the implementation of sufficient governance tools and controls, and given the US Treasury Department's regulatory attention to ransomware, FIs should develop an effective ransomware compliance program complying with the regulatory scrutiny or modify and improve their current processes and systems to (1) provide for regulatory control, and (2) reduce any sanctions risks, if ransomware payment is facilitated.
1. Preventive measures and regulatory supervision
- A risk-based compliance program and practices would be a key mitigating factor when regulatory measures are ruled against if the FI facilitates a ransomware payment.
- OFAC views a risk management committee comprised of senior leadership and subject-matter experts as proof of an institution's dedication to compliance.
- A data-driven risk assessment that includes cybersecurity system vulnerabilities, any elements of system resilience, and any weakness in human resources should be conducted.
- Internal controls that include, but are not limited to, written policies and procedures, including business continuity processes, adequate enforcement mechanisms for these rules and procedures, record-keeping procedures, and a strictly delineated network diagram for all staff members, particularly those in high-risk duties and responsibility.
- To guarantee that activities are not halted or severely disrupted, a business continuity strategy and procedure must be in place, including a strong data backup.
- The majority of assaults start with phishing and spear phishing, as well as exploiting human weaknesses. As a result, all relevant workers should have access to regular ransomware and cybersecurity courses.
2. Reducing the danger of sanctions when ransomware payment is enabled
- Consult with legal advice before contacting law enforcement.
- Carry out risk assessments, including determining
- Evaluate and decide on payment and nonpayment alternatives, which must be adequately and rigorously recorded, preferably with the support of a federal enforcement agency (e.g., FBI, Royal Canadian Mounted Police [RCMP], among others)
The Importance of a Risk-Based Approach to Governance and Record-Keeping for FIs
The updated Treasury Department advisory advances the US government's extensive counter-ransomware approach by emphasizing the importance of improving cybersecurity practices, reporting to US government entities, collaboration and cooperation between the public and private sectors, and having close relationships with international associates, including police agencies globally.
The Treasury also motivates victims of attacks and related businesses to document the attacks and fully cooperate with law enforcement as soon as possible in order to benefit from substantial mitigating circumstances to OFAC's potential enforcement action.
Overall, a risk-based approach to governance and record-keeping for FIs, as well as the execution of preventative efforts to minimize regulatory risk—particularly sanctions risks associated with ransomware payments—are the minimum and most realistic stages that FIs and businesses should take to ensure adherence with the standards prescribed forth by OFAC in its guidelines.