By: Lucia Argento
In a time that many businesses, small and large, are struggling to pay their monthly bills and stay open, there has been an increase in the number of ransomware attacks happening across the United States. During the COVID-19 pandemic, the demand for payment has increased, leaving a business faced with the decision to either pay up or risk losing data and other important information that may be critical to a company. In response to this uprise in attacks, the Office of Foreign Assets Control (“OFAC”) issued an advisory on October 1, 2020, to emphasize sanctions pertaining to the risks of violating OFAC regulations by facilitating a ransomware payment related to cyber-attacks. Within the past two months, Universal Hospital System (“UHS”) suffered a cyber-attack that may have been one of the largest medical cyberattacks in history, taking weeks for the company to return to normal operations.
Back in 1989 when one of the first documented cybercrimes took place, it remained an uncommon tactic by hackers until the mid-2000’s when they learned how to send threats more discreetly to their victims by making the threats look like real notifications. As time passes, ransomware attacks become more and more frequent. The average demand for ransom in the mid-2000s was around $300 and that number has shifted to roughly $500 in current times. The way a ransomware attack works, is the perpetrator will demand a certain amount of money by a specific date, and if the request is not met the cost may rise, or the information stolen may either be locked or destroyed forever.
In late September, UHS one of the largest healthcare services in the nation, fell victim to a ransomware attack that affected all their United States locations, compromising over 400 facilities total. At first, a staff member inquired on the internet to see if anyone else was experiencing similar issues, but it was not acknowledged by UHS until the following day that their systems were experiencing a ransomware attack and operating under downtime procedures. It was not until three weeks later that UHS started running under normal operations which happen to be a week past the average outage period of 15 days. It is unclear how the attackers demanded ransom, what amount the attackers demanded to be paid, and if UHS actually paid them. It is speculated that Ryuk ransomware was the culprit because files were renamed under the Ryuk extension.
The OFAC has regularly imposed sanctions on actors who assist, sponsor, or provide support to major cybercriminal organizations. According to the OFAC, their latest advisory reiterated “Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” Under the Trading with the Enemy Act (“TWEA”), US citizens are generally prohibited from directly or indirectly engaging with persons or entities on designated blocked persons lists, which includes many known cybercriminals. Therefore, any transaction results in a violation of TWEA and the International Emergency Economic Powers Acts. The OFAC has the right to impose civil penalties for violations of sanctions, which holds a person liable whether they knew or had no reason to know they were transacting with such prohibited individuals.
Due to their regulations, the OFAC generally encourages institutions to implement risk-based compliance programs that help limit exposure to these sanction related violations. This mainly applies to companies with a deep connection to cyber victims like insurance, financial services, and incident response institutions that may pay a ransom on behalf of all their clients for the sake of saving their personal information. Some places consider taking a hit on the money and paying the ransom fee just to ensure their clients’ information is safe, without worrying what the repercussions of paying are. When the OFAC evaluates the possible enforcement outcomes, the companies full and timely cooperation with law enforcement is a huge factor considered to what penalties they could face.
Big companies usually invest in cyber protection to prevent these happenings, but businesses like small hospitals, school districts, and local government agencies may not have the same resources to invest in such products, therefore, leaving them more vulnerable to attacks. The FBI generally does not support paying ransom after an attack has happened. Their website states that paying does not guarantee business to get the compromised data back and paying encourages an attacker to target more victims. Aside from contacting the FBI when an attack occurs, they offer preventative tips to avoid these types of attacks. In addition to being a cautious computer user, the FBI suggests keeping all computer systems like anti-virus and anti-malware systems up to date.
Ransomware effects are not only monetarily damaging but have the potential to ruin trust, reputation, and relationships between businesses and their consumers. To help keep that trust, companies like PayPal have made it clear they will pay for their customers’ stolen data if a problem arises. Experts caution on prematurely paying ransom fees and hope that a victim exercises many options before doing so, especially when companies feel they have no choice but to pay. Others see a small nominal fee and pay it out of annoyance to not have to deal with the issue at hand. The Federal Trade Commission seems to have one of the best outlooks on ransomware attacks by acknowledging law enforcement does not recommend a victim pay the ransom fee, but understands that it’s up to the companies to decide the cost-benefit and risk analysis on getting their files back. Unfortunately, there is not a one size fits all solution on what to do when an attack happens. In today’s times, where companies are more vulnerable to attacks during a global pandemic, it is important that places back up their information regularly, secure the data they back up, and create a plan just in case a business falls victim to a ransomware attack.
Student Bio: Lucia Argento is currently a second-year law student at Suffolk University Law School and a Staff Member of the Journal of High Technology Law. She received a Bachelor’s in Criminal Justice with a minor in Legal Studies from the University of Central Florida in 2017.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.