Security news that informs and inspires

FBI Guidance Evolves on Ransomware Payments

The decision of whether to pay the money during a ransomware infection can be an incredibly complex one, especially for organizations that may not have complete backups or run critical systems that can not afford downtime. Law enforcement agencies for many years have told victims not to pay, and when the Department of the Treasury issued a warning last month that paying ransoms to sanctioned entities could result in penalties, that only added another layer of complexity.

The wording in that advisory from the Office of Foreign Asset Control, which handles economic and trade sanctions, is ominous. It warns that victims or intermediaries that pay or facilitate payments to people or entities that are subject to OFAC sanctions may face serious consequences.

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the advisory from Oct. 1 says.

That’s not a risk that many organizations would take on willingly in most circumstances, but enterprises faced with a ransomware attack that threatens the continuing operation of their business face a brutal choice: refuse to pay and risk considerable damage to the business, or pay and risk civil penalties. This dilemma is not lost on law enforcement officials who see both ends of the ransomware.

“Paying the ransom from our perspective is a bad idea. It fuels further criminal activity and it’s bad for society in the long run. The reason this continues to happen is it’s profitable. Our position has to be that we do not recommend paying the ransom. The FBI would be remiss in the execution of its law enforcement duties if it said anything else,” Herb Stapleton, cyber division section chief at the FBI, said during a panel discussion at the CyberNextDC conference Wednesday.

“That being said we aren’t so unrealistic that we don’t recognize the realistic position that puts businesses in, especially small and medium businesses.”

The FBI’s stance on ransomware payments has been evolving somewhat in the last year. In October 2019, the bureau issued revised guidance on ransomware attacks and how to react to them, including a section that acknowledged the difficult choice victim organizations face.

"The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers," the section on paying the ransom in the updated guidance said.

“The FBI will continue to treat you as a victim even if you pay."

In addition to the ransom payment decision, victim organizations also need to decide whether to bring in law enforcement. It may seem like a no-brainer; you’re the victim of a crime, call the police. But ransomware isn’t that cut and dried, and in many cases security teams are not sure what immediate benefit they will get from involving the FBI or other law enforcement agencies. They may also be wary of bringing in the FBI if they’ve already paid the ransom, fearing potential sanctions. Stapleton said that while that complicates things, victim organizations should still contact law enforcement as soon as possible during a ransomware incident.

“The FBI will continue to treat you as a victim even if you pay,” he said.

“There has been a wrench thrown in the works by the OFAC advisory, but it doesn’t change our position. That’s something we’re going to have to grapple with going forward: How sure are we that the payment is going to a sanctioned entity?”

Stapleton also pointed to a section of the OFAC advisory that offers a potential lifeline to companies that work with law enforcement even if they pay a ransom to a sanctioned entity.

“OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome,” the advisory says.

Some of the most damaging ransomware attacks in recent months have targeted hospitals and other health care providers, as well as organizations working on COVID-19 vaccine research. Security experts and law enforcement officials have warned organizations in those sectors about the increase in ransomware activity and calling on agencies around the world to go after the groups behind the attacks, many of which are known to researchers and law enforcement alike.

“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law. We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, said in a post last week.