OFAC warns on sanctions risks for ransomware payments

US Department of the Treasury warns of increase in frequency and cost of ransomware attacks.

The recent trend in criminal use of ransomware is “more focused, sophisticated, costly, and numerous,” according to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). In an advisory issued on the 1 October to warn businesses against the risk of certain ransomware payments violating OFAC regulations, OFAC says it has “designated numerous malicious cyber actors under its cyber-related sanctions program.” For businesses, it’s another warning about the dangers of ransomware with a recent Kivu/Hiscox report – Trends in Ransomware and Doxing – finding a 404% increase in ransomware demands across the US compared to 2018; rises fuelled by changing ransomware tactics that now often include data exfiltration to inflate ransom payments.

Three phases of malware

We’ve gone through three distinct phases when it comes to the evolution of malware says Matt Webb, Hiscox London Market’s Line Underwriter for Cyber. “The first iteration saw the ‘spray and pay’ approach which was all about high volume, low values tactics to deliver malware en masse.” This changed in 2018-2019, Webb adds, to more targeted “big game hunting” where the victims were known and specifically targeted with ransom demands tailored to the ability to pay.

In late 2019 however, the tactics changed again. “Since the end of last year, we’ve seen the emergence of data exfiltration as part of an overall ransomware attack. In addition to the usual tactics, key data – like intellectual property and trade secrets – is also stolen and, rather than sold, is used to compel the victim to pay a ransom demand,” explains Webb.

Since the end of last year, we’ve seen the emergence of data exfiltration as part of an overall ransomware attack. In addition to the usual tactics, key data – like intellectual property and trade secrets – is also stolen and, rather than sold, is used to compel the victim to pay a ransom demand.

According to the Kivu/Hiscox report, this practice – known as doxing – sees attackers, “going for low volume, high impact confidential corporate information. They are not extracting large volumes of PII, PCI or PHI to sell on the Darkweb but instead are hunting data that would force a business to pay a ransom to avoid having the information published externally.” The report adds that instead of a ransomware event taking six to 12 months to recover, “an additional doxing incident could require three to four years to resolve fully”, as it takes time for companies to deal with any regulatory breaches or liability that comes with losing customer data or corporate information.

One high profile victim this year was cruise line operator Carnival which found itself the victim of a ransomware attack in August that both encrypted part of its information technology systems and stole confidential customer information. In addition to Carnival, other companies such as Toll Group and Allied Universal have all been victims of these new ransomware tactics by cyber criminals revealing the scale of the problem. “We’ve seen the frequency and severity of ransomware attacks increase with more claims in 2020 already than in the whole of 2019,” says Webb. According to Crypsis, the largest ransom paid between 2015-2019 was US$15 million but that figure ballooned to US$30 million in 2020.

Little and often

Criminals very often start the data exfiltration process with a ‘little and often’ mindset following access to a compromised email account for example. “Rather than take huge amounts of data in one single attack – which can be easier for the victim to detect – hackers will try to remain anonymous on a company’s network and be more discreet in the data they exfiltrate to both maintain the value of the data they steal and allow them to continue dipping into that source,” says Webb. Using email to exfiltrate large volumes of data is not ideal as it can be detected and blocked, he adds. “That is where file sharing services like Dropbox or OneDrive come in handy for hackers as they offer a simple route to move large volumes of data outside a business.”

Eyes on the bigger prize

Cyber criminals are also being very selective about the data they target says Webb. “The Allied Universal attack only secured 5GB of data which is small by today’s standards, but even these small amounts can be used to force higher ransom payments than might otherwise be secured if the hacker was only targeting an encryption of an organisation’s systems.” And there is real ambition in the size of businesses that hackers are prepared to go after. “If it used to be big game hunting, hackers such as the Maze ransomware group now have their sights on the leviathans of the business world with big listed companies like Canon falling victim,” says Webb.

We’ve seen the frequency and severity of ransomware attacks increase with more claims in 2020 already than in the whole of 2019.

From an insurance perspective, these new tactics, leading to significantly higher claims costs, could have longer term ramifications for cyber cover. The concept of the premiums of the many paying for losses of the few is challenged when the collected premium pool proves to be insufficient for the claims being paid says Webb. “When this happens, three things change – pricing, terms and conditions and better risk management from customers. Insurers have been focused on getting the pricing right and improving risk selection by scrutinising their customers’ risk controls. Now, terms and conditions are beginning to tighten with co-insurance on ransom payments as well as sub-limits.”

Take steps to mitigate the risk

Mitigating the risk should be the starting place for every business looking to secure competitive cyber coverage in the light of this growing risk. And there are a range of measures that organisations can take comprising the straightforward hygiene factors such as enabling email filtering, regularly patching technology, using a reputable anti-virus product and removing orphaned or duplicate employee accounts. Other measures can include using an internal proxy, identifying and blocking unauthorised configuration changes, as well as undertaking routine penetration tests to understand how a hacker could get into the organisation’s network.

“The framework from the National Institute of Standards and Technology which focuses  on the five areas of identify, protect, detect, respond and recover is a good place for businesses to start,” says Webb. “But responding to the dual threat of encryption and data exfiltration should be a priority for every business. In the past, we have found that where businesses have a good back-up strategy in place, they can get up and running quicker following a more traditional ransomware attack, incurring claims costs less than four times of those companies without an effective back-up but data exfiltration has blunted its effectiveness.”

Take a holistic approach

OFAC’s warning of the imposition of sanctions against “those who facilitate ransomware transactions” places a further complication for businesses who must make sure they don’t fall foul of the regulators when dealing with a ransomware incident, although it adds that, “OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure or sanctions-related violations.” That risk-based approach is crucial, concludes Webb. “OFAC’s intervention further complicates the picture for businesses at risk of a ransomware and associated data exfiltration attack but also highlights the need to make sure they take a holistic approach to risk management. So as the threat and regulatory landscape changes, they are in the best position to ensure any cyber incident has minimal impact.”

For more information, download the Hiscox/Kivu report "Trends in ransomware and doxing H1 2020 review"


  • Cyber