In these cases, victimizing the service provider company also victimizes their customers. Not only does the service provider receive a ransom demand, but the downstream victims receive demands as well, exponentially increasing the cybercriminals’ profits with little additional effort.
In other scenarios, cyber gangs have targeted critical infrastructure companies and sprawling healthcare organizations to demand enormous ransoms. They have proven willing to negotiate with victims to reduce large ransoms and, when ransoms are paid, to honor requests that they destroy data rather than posting or selling it.
No one knows when this particular cybercrime will end, if ever. Ransomware seems here to stay, in part because it is so profitable and relatively easy to execute.
By all reports, most companies choose to pay the ransom, which is an extortion fee by any other name. In addition to regaining access to their data, paying the ransom may also prevent their data from being released into the wild, posted on dark websites for sale, or forever hidden from them in the cellars of cyberspace. These are three common threats from ransomware gangs in exerting pressure on their victims to pay up.
Some companies elect not to pay the ransom demand, choosing instead to restore their latest data backup and resume business operations. They are adhering to best security practices calling for daily or other high-frequency data backups. Unfortunately, even though they are able to resume operations quickly, the threat still lingers that the stolen copy of their data could be placed for sale on the dark web. Ransomware is data theft, plain and simple, and we know there is no honor among thieves (Proverbs 21:10-11).
Legality of Ransom Payments. It is not illegal to pay a ransom to recover your data. However, law enforcement authorities, the FBI, and the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) all strongly advise against doing so.
OFAC maintains a Specially Designated Nationals and Blocked Persons List that includes (and imposes sanctions against) many known malicious actors and cyber gangs.
According to a recent OFAC Ransomware Advisory, victims who decide to pay ransom to recover their data may be in violation of policy, as they are “generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on the OFAC list.” Civil penalties may be imposed and “persons subject to U.S. jurisdiction may be held civilly liable” even if they did not realize that the cybercriminal they paid was on the OFAC list. This policy also applies to cyber insurers, digital forensics, and financial institutions that enable ransom payments.
The Advisory adds that payments made to entities on the OFAC list may be used to “fund activities adverse to the national security and foreign policy objectives of the United States.”
If this is not discouragement enough, experience has taught us that rewarding data thieves simply perpetuates the use of ransomware by cybercriminals and escalates the vicious cycle of breach, theft, ransom, payment.
Value of Cyber Insurance. Cyber insurance has become more commonplace in recent years as ransomware and other attacks have skyrocketed. Cyber insurance covers an organization’s liability in the event of a data breach in which sensitive customer information is potentially compromised.
In cases where policies are current and applicable, cyber insurers have reimbursed victimized companies for all or a portion of their claims, including ransom payments. But the cost of cyber insurance is going up. According to a July 2, 2021, article on ZDNet, the relentless rise in ransomware attacks has already driven up premiums by 40% this summer.
The Bottom Line. In deciding whether to (1) pay the ransom demand, (2) attempt to negotiate a lower ransom, or (3) not pay the ransom, each company must make its own decision based on the variables in their specific scenario, including consideration of the OFAC restrictions.
Several examples from 2020 and 2021 illustrate the shift to larger, more frequent, and potentially more profitable ransomware attacks. Following are five examples that stand out for various reasons.
The attack exploited a security vulnerability in Kaseya’s VSA software, and directly impacted approximately 30 managed service providers who use the software.
Those MSPs, in turn, serve as many as 1,500 clients, whose systems were also attacked and who suffered service outages or interruptions as a result. Many of these, according to Kaseya, were small businesses such as accountants, dentists, restaurants and others.
CISA and the FBI have jointly published guidance for MSPs and their clients affected by this ransomware attack.
Attackers initiated their extortion at $70 million. Thus far, Kaseya has not indicated whether it intends to pay or negotiate the ransom demanded. This ransomware attack is attributed to the notorious Russian ransomware gang REvil.
JBS Meats. Global meat processor/packer JBS SA, based in Brazil, suffered a ransomware attack the previous holiday weekend, Memorial Day 2021. Cybercriminal gangs often make their moves at holidays when victims’ IT departments are not fully staffed, giving the criminals ample time to encrypt voluminous data files before being discovered.
This ransomware attack affected JBS facilities in the U.S., Canada, and Australia. The JBS USA subsidiary is the largest meat processor in the U.S., producing nearly a quarter of the country’s beef.
Despite having resumed near-normal operations on its own, JBS elected to pay an $11 million ransom to avoid having its data posted on the dark web or otherwise made public. This is one of the largest ransom payments on record. This attack is also attributed to the REvil gang.
Colonial Pipeline. This largest fuel pipeline in the U.S. suffered a ransomware attack on May 7, 2021. It disabled fuel delivery for several days throughout the southeastern U.S. while the company negotiated with the attackers. Ultimately, Colonial paid $4.4 million in ransom to reacquire its stolen data in order to resume critical fuel delivery operations.
The Colonial ransomware attack is attributed to a Russian ransomware gang known as DarkSide. In a rare action, the FBI was able to recover part of the ransom paid to the cyber gang, although no details have been made available.
Blackbaud. In May 2020, one of the world's largest providers of software for education administration, fundraising, and financial management suffered a ransomware attack that disabled servers and blocked access to enormous databases of client data.
Blackbaud clients are predominantly educational institutions, healthcare organizations, and nonprofits in the U.S., Canada, and the United Kingdom. The attack affected more than 100 healthcare organizations and more than 10 million of their records.
It also affected universities, including the University of California, who paid $1.4 million in ransom to reclaim their data. The University had already performed significant research into COVID vaccines at that time and would have lost all related data.
Ultimately, Blackbaud itself also paid a ransom in exchange for the assurance that the stolen data would be destroyed, and reportedly received confirmation of that destruction from the perpetrators, the NetWalker cyber gang.
The amount of the ransom was not disclosed. Blackbaud has been named in at least 23 class-action lawsuits brought by victims.
Magellan Health. In April 2020, a ransomware attack affected more than a million healthcare records maintained by Magellan Health. The attack began, as many do, with a phishing email scheme that tricked an unsuspecting employee by impersonating a client of Magellan Health. When the employee replied to the phishing email, the attacker was able to gain access to company records and encrypt them.
In early July, HHS reports indicated that some 365,000 patients across three subsidiaries had been affected by the ransomware attack. By August, that number had climbed to 1.7 million individuals, including patients and employees, across various Magellan units and downstream organizations.
It is unknown whether the company or downstream entities paid ransoms for their ePHI. Magellan is the subject of a class-action lawsuit filed by several former Magellan employees.
Because so many ransomware victims choose to pay ransom for their data, ransomware gangs continue to execute bigger, bolder, and badder ransomware attacks. The most active and brazen gangs can be traced to Russia, where they seem able to operate without interference.
Phishing and similar social engineering schemes that take advantage of unsuspecting employees are the entry tool of choice for these gangs. However, exploiting security vulnerabilities in networks, email systems, software, and websites continues to be effective.
Regardless of how the ransomware attacks originate, exploitable weaknesses within the victim companies affect not only those companies by blocking access to their data, but can also impact their downstream clients, customers, patients, and suppliers.
Paying ransoms to recover data is risky. In addition to giving cybercriminals more bucks for their bang, making payments to those on the OFAC sanctions list violates U.S. Treasury policy and may incur civil penalties.
The question remains, where will ransomware end? The answer, at least for now, is there’s no end in sight.
FBI Cyber Task Force: https://www.ic3.gov/default.aspx; www.fbi.gov/contact-us/field
U.S. Secret Service Cyber Fraud Task Force: www.secretservice.gov/investigation/#field
CISA (Cyber Security and Infrastructure Security Agency): https://us-cert.cisa.gov/forms/report
Homeland Security Investigations Field Office: https://www.ice.gov/contact/hsi