Paying Ransomware Demands: Is the U.S. a Model?
Paying a ransom encourages the proliferation of ransomware attacks and provides financial support to cybercriminals. As a result, U.S. authorities have decided to impose sanctions on U.S. organizations that give in to hackers’ financial blackmail. The OFAC (Office of Foreign Assets Control of the U.S. Department of the Treasury) has issued several notices to raise awareness among individuals and organizations in the fight against ransomware attacks. One of these notices, published on October 1, 2020, formalizes sanctions related to ransomware payments.
The OFAC specifies that this sanction also applies to organizations that facilitate the payment of ransoms to cybercriminals on behalf of victims.
Thus, the ban on paying ransoms applies to the hacked organization and to the companies or entities with which the infected organization has engaged: financial institutions, insurance companies, digital consulting firms, and financial service providers that facilitate ransom payments.
However, payment of a ransom may be made, but only by organizations that cooperate with the U.S. Treasury, the FBI, and other government agencies. (Source: siliconangle.com).
Without this government approval, organizations are in violation of OFAC sanctions. The legal consequences are significant, including fines of up to $20 million.
Ransomware: Pay or not pay?
According to ZDNet, an IBM study indicates that “nearly 70% of companies targeted by ransomware agree to pay the cybercriminals.” Half of these ransoms amount to more than $10,000 each. The main motivation for these organizations is to recover their data—especially when it involves financial information, customer data, intellectual property, and business projects. In fact, according to ZDNet, “60% of executives surveyed admit they would pay to recover the data.”
In France, there is nothing illegal about paying the ransom demanded. The issue raises many difficult questions: CAC 40 companies have legal obligations to their shareholders, just as public service organizations do. If a law were to impose financial penalties—or even prison sentences—on them, enforcing it would be extremely difficult.
Guillaume Poupard, Director General ofANSSI, recommends not paying, as this provides financial support to the extortionists and thus encourages them to continue their activities. Furthermore, paying a ransom to cybercriminals offers no guarantee that the victim will regain access to their stolen data. Cybercriminals may also keep a copy to resell or trade on the Dark Web, for example.
A tough choice
Submit?
- Paying while knowing that doing so encourages cybercriminals to carry out future attacks. By paying, an organization helps create a new market for cybercriminals.
- Paying and running the risk of being unable to recover or decrypt your data. In fact, cybercriminals do not always possess the decryption key for ransomware purchased on the black market.
Resist?
- Do not give in and, of course, do not hand over your data and suffer the consequences of a cyberattack (financial losses, downtime or disruption of information systems and production, loss of trust, damage to your reputation, etc.).
