HACKED COMPANIES CAUGHT BETWEEN A ROCK AND A HARD PLACE
“Caught Between a Rock and a Hard Place” is defined by Oxford/Lexico as follows: In a situation where one is faced with two equally difficult alternatives.
And that is precisely the bind any hacked company is up against. Does the victim/company pay the criminals or not?
In my previous two posts, I gave a few examples of companies that chose to pay:
In this third and final post on Ransomware attacks, I thought it would be helpful to use a recent example of a hacked international manufacturing firm that decided not to pay.
GLOBAL COMPANY THAT REFUSED TO PAY
Last year, some criminals hacked Norse Hydro, a Norwegian aluminum company with 170 locations worldwide. Over 22,000 of their computers were compromised, including the clocks hanging on their walls.
To appreciate the magnitude of this kind of hack, keep in mind that the hackers need to provide a separate decryption key for each of the 22,000 computers for the victim to recover their files. Often the hackers give the wrong key, which can become a logistical nightmare even after a company pays. Plus, it does not guarantee the files will be returned.
To date, Norse Hydro has paid £45 million to recover from the attack. Why did they choose not to pay?
According to the Norse Hydro CEO Jo De Vliegher:
“I think in general it’s a very bad idea to pay…it fuels an industry…it’s probably financing other sorts of crime.”
That is true. Cybercrime feeds criminal organizations and rogue nations, but one intriguing question about the attack on Norse Hydro is whether or not they were allowed to pay. According to one report, they did not get that chance, and that the hackers were more interested in disruption than collecting a ransom.
HOW IS THE U.S. GOVERNMENT RESPONDING TO COMPANIES THAT PAY?
The U.S. Department of the Treasury intends to place sanctions on companies that pay hackers on its–Office of Foreign Assets Control (OFAC)–list of cybercrime groups operating from countries like Iran, North Korea, Russia, and China.
DILEMMA FOR CYBER INVESTIGATIONS/SECURITY FIRMS THAT FACILITATE PAYMENTS
Over the years, several reputable cyber investigation and security firms have specialized in communicating with hackers on behalf of their clients (victim companies.)
I would recommend they become conversant with October 1, 2020, U.S. Department of the Treasure advisory titled, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.”
Here are a couple of quotes from the advisory that should make applicable entities pause: “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
“Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.”
No need for over-analysis here. The U.S. Government is essentially saying, “If you (victim) pay criminals, or help a victim pay criminals, you may have to pay in other ways too.”
The U.S. government uses its considerable leverage to encourage victim/companies to report hacks to law enforcement.
I applaud this approach. If cybercriminals know that there will be no financial benefit to hacking a company–because their victim cannot pay unless it is willing to subject itself to possible government sanctions–it could impact the spike.
Of course, this would not prevent state-sponsored bad actors from hacking for the sole purpose of causing disruption.
Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.