States Ban Ransomware Payments – Security Boulevard

When you fall victim to a ransomware attack, you usually have a few options. You can restore from backups (if you have backups). You can rebuild your network and all the devices on it. Or you can pay the ransom. The tactic you decide to adopt often depends on the cost of each, including the potential reputational cost and legal fees associated with choosing one option over another. It makes no sense to pay $2 million to rebuild your network in the face of a ransom demand of $5,000.

However, municipalities, including state and local governments, cities and towns that often fall victim to ransomware attacks, may no longer have the ability to pay the ransom, even when it makes good and economic sense. Increasingly, state legislatures have made it illegal to use public funds to pay ransom in ransomware cases. This reflects an ideological view that if everyone agrees not to pay a ransom, ransomware attacks will subside because they are unlikely to be successful for the ransomware threat actor. This reflects a form of the tragedy of the commons: if only one person agrees to pay a ransom, then everyone is in danger. But if no one is allowed to pay a ransom, everyone is protected.

However, it is not clear that there is any empirical evidence supporting this theory. While ransomware threat actors tend to be logical and select their targets based on their likelihood to pay, ransomware threat actors are not a homogenous group. Some intentionally target particular victims with specific types of ransomware in the hope of getting paid. Others spray and pray, picking targets of opportunity in the hope that one of them is willing to pay the ransom. Still others release ransomware on a network where it spreads from computer to computer and system to system. In these cases, they can attack both state actors and commercial entities.

Also, the legislation is not just aimed at municipalities and states. Some proposed laws and regulations also target commercial entities including banks, hospitals, and other institutions and prohibit them from paying the ransom as well. In addition, states that prohibit the direct payment of a ransom also prohibit the indirect payment of a ransom. This means that insurance companies, forensic firms, accounting firms and others are also prohibited from paying ransom. Indeed, the wording of some of these regulations is so broad that it could be interpreted as prohibiting commercial entities with government contracts from using the funds they received under those contracts to pay after a ransomware on their own infrastructure.

This is in addition to guidance from the United States Department of Treasury’s Office of Foreign Assets Control and the Financial Crimes Network (FinCEN) advising companies that decide to pay a ransom that they may be violating United States anti-money laundering and national and international sanctions by making such payments.

All in all, this makes the ransomware situation much more complicated. For example, if a municipality has commercial insurance against ransomware attacks and there is a ransomware incident in which the threat actor demands a small payment, the insurance company is now prohibited from make such payment to mitigate the harm or damage. Instead of paying the $5,000 ransom, the insurance company is now required by law to pay the $25 million to rebuild the entire network. What we can expect is that insurance companies will cap their damages and losses at either the cost of the ransom or the cost of reconstruction, whichever is lower.

It also reflects the lingering ideology of regulators and legislatures that punishing victims of cybercrime is an effective deterrent. While the goal of increasing security for all involved is laudable, the end result is that businesses that fall victim to data breaches, attacks, ransomware incidents, or other forms of cybercrime run the risk of themselves be investigated and prosecuted. This is true whether the company has a reasonable information security program or has done absolutely nothing to protect or defend against an attack. From a civilian perspective, businesses will need to have reasonable information security programs designed to prevent ransomware attacks or, at a minimum, to be resilient and to rebuild effectively and cost-effectively after a ransomware attack, as it is there may not be an option to pay the ransom.

On June 28, 2022, Florida Governor Ron DeSantis signed HB 7055, which requires, among other things, starting July 1, 2022, that all state agencies report cybersecurity and ransomware incidents, and that every state employee receive substantive cybersecurity training. All good things. However, Florida also joined the growing number of states, starting with North Carolina in April of this year, Pennsylvania, Texas, Arizona (HB 2145) and New York who have either prohibited, or are seeking to prohibit, ransom payments in the ransomware business. The New York proposal not only prohibits government agencies from paying ransom, but also prohibits Empire State businesses and healthcare entities from paying ransom. A proposed federal law, The Ransomware and Financial Stability Act of 2021, 117 HR 5936, would also prohibit any US financial institution from making a ransomware payment greater than $100,000 without Treasury Department authorization. Federal law also requires entities in the critical infrastructure sector to inform the government within 24 hours if they made a ransomware payment.

In the short term, this means, first for the municipalities and, ultimately, for everyone, that they will be unable to carry out a real risk analysis; is it more profitable to pay the ransom or to rebuild or restore the data? Like the cities of Baltimore and Atlanta, they will be forced to pay millions or tens of millions of dollars in lost time and reconstruction costs, even when the ransom demands are relatively low. It also means that, just as with data breaches, data theft and other cyber attacks, the government will devote resources not to catching criminals and preventing crimes, but to punishing the victims of those crimes so as not to failing to take adequate measures to prevent the crimes from occurring. .

Paying a ransom is always controversial. In a way, it provides an economic incentive for threat actors to keep doing what they are doing. It also provides economic support to threat actors which they use to further further criminal activity. Finally, due to the nature of cryptocurrencies, we cannot know where the money goes once it has been paid. Is it used to fund additional cyber threats? Would it be used to finance wars in Ukraine? Is it used by terrorist organizations?

Most of these laws also prohibit not only the payment of funds for ransom, but also prohibit indirect payment by insurance companies, forensic companies and others. Thus, these entities must ensure that no state or municipal funds are used for the ransom payment.

The wording of the law may also be broad enough to make it an offense for a covered entity to pay hackers, even under a bug bounty program. For example, Florida law defines a “ransomware incident” as follows:

“…a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to, encrypts, alters, or otherwise renders it unavailable and subsequently the person or entity demands a ransom to prevent the release of the data, restore access to the data, or otherwise remedy the impact of the software. »

So if a gray hat hacker accesses data from a state agency and asks for payment to provide information on how they were able to do so so they can remediate the impact, payment of those “fees” may now be prohibited under Florida law.

Insurance companies offering ransomware insurance can now include clauses stating that they will reimburse the costs of the ransom demand or the costs of remediation or reconstruction, whichever is lower. For an entity that refuses to pay (or is prohibited from paying) a ransom, the risk of loss rests with the state, not the insurer. Or, more precisely, on the taxpayers.

Nobody wants to pay a ransom. If no one paid a ransom, threat actors might — might — move on to a new form of attack. But disallowing the option means these attack victims have fewer options to respond to ransomware and extortion attacks and run the risk of being sued themselves for trying to fix a faulty system.


Source link