Ransomware: To Pay or Not to Pay? That is the Question

Imagine that you are recently a victim of a malware attack. You have opened up an email, selected an unfamiliar link, and as a result fallen prey to malware that uses strong encryption to lock your data. The data affected may be what is needed to run a business, financial institution, municipality, or even a hospital. This attack, by a malicious actor (possibly state-sponsored), has rendered your data inaccessible. A logical question is “What do I do next?”. 

In most scenarios, this data will remain unavailable until the ransom demand has been paid, the hacker sends the encryption key(s) to unlock the data, and a professional assists in bringing your system back online. Time is typically of the essence to open the communication lines with the hacker(s), to initiate the next steps (in a safe and secure manner), understand the demand, and decide on whether you will be making payment to prevent permanent corruption or destruction of your data. Questions that we frequently hear during a ransomware situation are “Should I pay?”, quickly followed by “What if they don’t send the encryption key?”. Both are very valid questions and can only be answered on a case-by-case basis. In today’s environment, another question that must be taken into consideration is, “Can we legally pay the ransom?”  

In October 2020, The US Department of The Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning addressing victims of ransomware as well as those involved in the negotiations of payment, securing the funds for payment, and the payment of the ransom. Specifically, those persons subject to US jurisdiction may be held civilly liable for making a payment to any targeted person, group, entity, or country on a blacklist called the “Specially Designated Nationals and Blocked Persons List” (SDN).  Such activity puts the victim, incident response companies, insurance companies, and financial institutions at risk of being involved in criminal activity and for aiding in the ransomware attack. If you pay a ransom to an SDN you have violated US law. Those on the SDN list have their assets blocked. This list is updated regularly by the US Department of The Treasury.

An already difficult situation for any victim now comes with the added pressure of deciding whether to pay the ransom, knowing you are likely breaking the law. Keep in mind that not paying will most likely keep you in a state of being unable to access data and/or systems required to run a business, bank, city, or hospital. Good intentions alone are not a mitigating factor; in fact, intent is not required to be guilty. You may also be held liable even if you did not know or have reason to know you were violating sanctions. So, how do you stay on the right side of the law?

As a victim, you need to consider what you know (which admittedly is likely limited) and lean on trusted professionals to advise you. Victims typically only know a few things about the attack: the type of ransom, an email address to communicate with the attacker, and the wallet address for cryptocurrency (often bitcoin) payment. Do you know whether you are paying an SDN? Can you determine if the attacker is related to one of the five specifically listed ransomware (Cryptolocker, SamSam, WannaCry 2.0, Dridex, or Triton) in the OFAC advisory? If you answer yes to either of these questions, it is against the law to pay. 

The Treasury office offers a few recommendations:

1.    Check the list of SNDs before making any payment.
2.    Seek an exemption from the Treasury Office.
3.    Report incidents to law enforcement (this is believed to perhaps be a major mitigating factor should payment have been made). The OFAC advisory wants law enforcement involvement from the start of being aware of the attack and continued cooperation with law enforcement throughout the investigation. 

Arguments fall on both sides of this “to pay or not to pay” decision when the payee is an SDN. From a Treasury perspective, their goal is to prevent awarding these “hackers.” The rationale being if no one pays ransomware requests then they will eventually cease to exist. Now consider the victim’s viewpoint. They undoubtedly need the data to run their business, municipality, or hospital. Not having the data could be life-threatening or cause financial ruin.

Another option to be considered when determining your best course of action is restoration of data from backups. When is the most recent system backup, is it in good working order, and is it complete? While sometimes it is ideal to restore a backup and rebuild your environment in many cases it is not. We have seen instances in which the cost to restore and rebuild an environment can be as great as 100 to 1,000 times the cost of the ransomware payment. Tough choices when considering what to do.
Capsicum’s cybersecurity team and former law enforcement professionals can help navigate you or your clients during this stressful time. Additionally, Capsicum can help protect against such attack by providing security assessment services; ensuring updated and secure backups are being conducted and are being maintained off network; assisting with enhancement of compliance programs and ransom policies to mitigate sanctions risks; performing documented investigations related to identifying the attack and attacker and their designation by OFAC; and working with counsel and law enforcement.   

About Capsicum:
Capsicum was founded in 2000 within the law firm of Pepper Hamilton, LLP. (now Troutman Pepper Hamilton Sanders LLP.) Charged with providing technology consulting support to their clients, we soon realized that the need to understand, collect, and forensically analyze digital data went far beyond what we were handling: We began our journey as general technologists, but quickly became specialists in digital forensics. Our areas of expertise soon evolved and expanded into forensic investigations, cybersecurity, discovery, electronic and paper recovery, security, regulatory compliance, and incident response retainers. In 2002, Capsicum became an independent consulting company that focuses on these core services. Employing high-caliber experts and a unique understanding of data, technology, and the law, we support organizations that need technological proficiency to run their companies and when they come face-to-face with difficult tech, legal, and regulatory situations. Capsicum is headquartered in Philadelphia, PA with offices in New York, Florida, Texas, and California.