Weighing Effects of Treasury’s Ransomware Pay Warnings on Cyber Victims and Insurers

Recent warnings from the U.S. Treasury about paying ransomware demands are unlikely to substantially change how cyber insurers cover or handle such situations, according to experts.

However, the advisories are likely to up the pressure on ransomware victims to make sure that they comply with all anti-money laundering and sanctions regulations.

The warnings came in advisories from a pair of Treasury agencies, one from the Financial Crimes Enforcement Network (FinCEN) and the other from the Office of Foreign Assets Control (OFAC).

The advisories have been issued at a time when experts report that ransomware attacks are rising and just weeks after leaked confidential Treasury filings indicate that money laundering and financing of terrorists as reported by major financial institutions remains a major problem.

FinCEN’s advisory reminds businesses that any entity engaged in money services activities must register with FinCEN and must file suspicious activity reports (SARs) “if it knows, suspects, or has reason to suspect” that a transaction involves $5,000 or more in funds or other assets and involves funds derived from illegal activity.

U.S. Treasury Warns Cyber Insurers Against Paying Ransomware Demands

Treasury’s OFAC said it encourages financial institutions to implement a risk-based compliance program. “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments including depository institutions and money services,” the government said.

OFAC’s advisory reiterates rules that prohibit individuals and organizations from directly or indirectly engaging in transactions or payments with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN) and those covered by embargoes. Parties are supposed check the SDN list to be sure the group or individual they are negotiating with is not on this list of bad actors.

The warnings appear to be more a reminder of the rules and penalties already in place to discourage ransomware payments than they are a response to any wrongdoing. However, they have been issued at a time when ransomware is on the rise. According to the Federal Bureau of Investigation, there was a 37 percent increase in ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019.

Ransomware attacks grew by nearly 50 percent in the 2020 second quarter compared to the first three months of the year, underscoring the risks created by pandemic-related work-from-home requirements, according to cyber insurance and security services provider Coalition. On top of that trend, new strains of ransomware attacks are causing particularly malicious damage.

Insurer Beazley found there was a 25% spike in ransomware attacks in the first quarter of 2020 versus the fourth quarter 2019.

Ransom payments are also on the rise. A report by incident response firm Coveware found that in the first quarter of 2020, the average enterprise ransom payment increased 33% to $111,605 from the end of last year.

The law firm BakerHostetler, which assists victims of cyber attacks, reported that in 2018, the average ransom amount was $28,920. In 2019, the that had increased to $302,539. Ransom demands have continued to grow in 2020.

Follow the Rules

According to cyber specialists, the cyber insurance industry follows the FinCEN filing and OFAC checking rules for situations where there are suspicious actors and where their insureds who are victimized by ransomware attacks may decide to pay.

The Treasury’s warnings appear to be mostly a reminder of the rules and penalties already in place. However, they have been issued at a time when ransomware is on the rise and leaked Treasury documents are raising questions about enforcement of money laundering and other suspicious financial activity.

“I believe that both the legal counsel advising insureds as well as the insurance carriers have been aware of OFAC and have taken OFAC regulations quite seriously,” commented Nick Economidis, vice president and e-risk underwriter, Crum & Forster, in an email. “We’ll likely see some small modifications to existing practices (to make doubly sure that actions are consistent with existing relations), but I do not foresee any big changes.”

“One of the initial questions that our clients ask us is whether companies actually pay ransom and whether there is any prohibition against making payments. Yes, companies pay ransom. And, we are seeing payments made on a daily basis—that’s how big this issue is,” the law firm BakerHostetler wrote in a recent blog post.

The firm notes that before a payment is made, the client generally retains a third-party to conduct due diligence to ensure that the payment is not being made to a sanctioned organization or a group reasonably suspected of being tied to a sanctioned organization. Additionally, there are steps to ensure that anti-money laundering laws are not being violated, the firm said.

Insurance broker Marsh’s U..S. Cyber Practice issued an advisory to its cyber clients — What OFAC’s Ransomware Advisory Means for US Companies — assuring them that insurance costs and payments for ransom demands will still be paid.

“Ransom payments and related investigation and negotiations expenses remain covered losses under the cyber extortion component of most cyber insurance policies,” Marsh told clients. “While other coverage and public policy considerations may prohibit them, the payment of extortion demands by US companies and reimbursement by cyber insurers is not prohibited by OFAC, unless a payment is being made to an SDN. However, ransomware victims, ransom payment facilitators, cyber insurers, and participating financial institutions remain prohibited from doing business with any parties on the SDN list, including payment of a ransom.”

The process of checking OFAC’s SDN list of sanctioned entities is not always clarifying, notes Charles Carmakal, chief technology officer with FireEye Mandiant, a global cyber and national security firm.

“Victim organizations are required to check the list prior to paying extortion demands. However, the true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions,” he explains. “Sometimes victims pay threat actors before they are sanctioned.”

New Ransomware Strains Being Unleashed on Businesses During Pandemic

Cyber Criminals Increasingly Will Target Top Executives in Ransomware Attacks: Report

Ex-Security Chief Martin Urges UK to Outlaw Cyber Ransoms

As an example, he said victims have paid the “SamSam” ransomware operators in the past, not knowing they were based in Iran at the time.

In recent months, the individuals referred to as “EvilCorp” involved with the Dridex banking malware have been connected with the WastedLocker ransomware family, according to Carmakal and some “extortion payment organizations have decided that they would not pay extortion demands associated with WastedLocker incidents out of fear of violating U.S. Treasury sanctions.”

According to Carmakal, many ransomware operators steal a large volume of sensitive data from organizations prior to deploying encryptors and locking organizations out of their systems and data. He said threat actors may ask for money for a decryption tool, a promise to not publish the stolen data, and a walkthrough of how they broke into the network. He said these extortion demands are in the 6-figure range for smaller companies and 7-8 figures for larger companies. His organization knows of several victim organizations that paid extortion demands between $10 million and $30 million.

Role of Insurance

Insurance is an important part of the process of recovering from ransomware attacks.

“Insurance coverage has grown to become a critical step for organizations in preparing for possible ransomware attacks,” according to Eric Stern, partner and co-chair, Data Privacy & Cybersecurity Practice Group, at Kaufman Dolowich & Voluck, in New York.

He notes that coverage for ransomware attacks may fall under different policy lines, depending on the policy language, including cyber-coverage policies, which are the most common. Also depending on language, some policies insure against financial losses, as well as provide the aid of forensic and IT security response teams in managing an ongoing attack.

“This all-encompassing approach has led to insurers becoming a necessary part of an organization’s response and recovery efforts,” he said.

While insurers may offer advice, insureds are the ones who decide whether to pay a ransom in hopes the attacker will provide a decryption key or decide to refuse payment and suffer the losses that can be major. A ransom payment facilitator is often used. In these negotiations.

“The primary decision to pay a ransom is made by an insured and should include relevant input from legal counsel, negotiators and other outside experts such as computer forensics experts,” said Economidis of Crum & Forster.

Putting Municipal Ransomware Attacks— and Cyber Insurance —in Context

An excerpt from this article on municipalities facing ransomware attacks with Tim Francis, enterprise cyber lead at Travelers:

The aim of cyber insurance, expressed most simply, is to get the organization up-and-running with its data. But cyber insurance is not only about paying the cost of recovery but also about offering expertise and unique services as well as knowledge about what to do in uncommon situations.

According to Francis, the expertise an insurer can bring stems from having people who, unfortunately, deal with these situations every day and who are able to recognize patterns, software elements, writing styles and even the organizations and players on the other end of the demand.

“They’ll know from their experience, ‘Yes, we’ve dealt with this actor before,'” he said.

They will know whether the attackers might be willing to negotiate and how much and if they can be trusted to restore access if a ransom is paid.

The insurance carrier may be able to offer valuable input into a ransom situation based on similar loss events. For example, the insurer may have seen the same bad actor involved in a previous case and knows it did not actually provide a decryption key. That could valuable information for an insured to have. “Still, the insurer is not in a position to provide the insured legal advice or make the decision about what is right for the insured’s business,” he added.

According to Economidis, while most policies require the approval of the carrier before a ransom payment is made, in his view this requirement is more about “confirming the reasonableness of the payment rather than the legality” of the payment.

“In my mind, the insurer is in the background and engages in a secondary discussion with the insured so the insured can understand the coverage and coverage implications for their actions, which, is really to say, that the insured wants to know what insurance they have when considering if they should may the ransom payment,” he said.

No Insurance Change

These experts do not anticipate insurers altering their role, coverages or services because of the advisories in any major way.

“I don’t believe that Treasury policy will materially change the services or coverages offered. I believe that it will likely result in some small changes to how legal counsel working with insured’s approach the issue and, maybe, some double checks for OFAC compliance from the carrier side,” replied C&F’s Economidis when asked.

“Insurers will need to be cognizant of the potential penalties they may incur if they attempt to negotiate with ransomware hackers. Insurers should work to have controls in place to prevent prohibited payments and work with the insured and counsel in creating a response plan in light of the advisory,” advised Stern.

Insurers might want to require their insureds to undergo preventative compliance training in an effort to mitigate any potential penalties they may face under the advisory. They should also be active in providing competent counsel as part of the response to ensure compliance with the advisory, Stern said.

Victim Burden

While there may be no big change for insurers, ransomware victims may wonder what to expect in terms of government enforcement of the rules discouraging ransomware payments.

According to Catherine Lyle, head of claims at Coalition, the Treasury advisory “raises as many questions as it provides answers — questions many ignored given the dearth of past enforcement.”

Lyle thinks the advisory signals an “increasing willingness to enforce OFAC sanctions on ransomware payments” and “makes clear that victims of ransomware, and the organizations that assist them, must establish processes to comply with OFAC sanctions or risk the consequences.”

However, echoing Carmakal’s concern, she added that “it remains ambiguous at what point an organization’s compliance obligations are met, never mind that attribution of cyber attacks remains fraught with difficulty.”

Stern said that while potential liability has existed in the past for any party making payments to organizations designated as malicious actors, there has been no explicit guidance in the ransomware context in the past.

“Considering that time is of the essence in ransomware situations, the added difficult step of identifying the malicious actor will create challenging decisions as insurers and response teams balance the threat of data loss with the threat of sanctions.”

“Unfortunately, any non-government entity will struggle to ascertain the identity of a ransomware hacker – let alone to determine if they have been designated a malicious actor by OFAC. This advisory will add another step to an already complex and stressful time for ransomware victims. Also, considering that time is of the essence in ransomware situations, the added difficult step of identifying the malicious actor will create challenging decisions as insurers and response teams balance the threat of data loss with the threat of sanctions,” he said.

FireEye Mandiant’s Carmakal agrees that the OFAC advisory, while well-intentioned, will add more pressure and complexity to victim organizations already challenged recovering after a security incident.

“Ransomware is the most significant and prevalent cybersecurity threat facing corporations today. Most threat actors choose to monetize their intrusions by stealing data, deploying ransomware, shaming, and extorting victims. Some threat actors have specifically targeted hospitals in an attempt to make millions of dollars, a line that many threat actors refuse to cross,” he said. “Today’s ransomware and extortion problem is unbearable.”

FinCEN Leak

The warnings from FinCEN come in the wake of a major leak of more than 2,000 secret suspicious activity reports (SAR) filed by financial institutions with FinCEN. A few weeks ago Buzzfeed and the International Consortium of Investigative Journalists (ICIJ) revealed they had obtained confidential SARs that raise questions about the involvement of some of the world’s largest financial institutions in laundering money for oligarchs and financing for terrorists and arms traffickers.

Lawyers at insurance-focused law firm Clyde & Co. believe the leak will “not only once again shine the spotlight on issues such as money-laundering and corruption but also raise serious questions as to whether enough has been done to tackle these issues by the largest banks and governments across the globe.” According to a commentary on its website, the law firm is also concerned that the leak may lead to future under-reporting by institutions and individuals fearful of being exposed.

(Clyde & Co. has a further concern for the insurance industry over the leak. “As for the insurance implications, the financial institutions mentioned in the FinCEN Files may now need to consider their potential exposure to claims, investigations, and related adverse media coverage,” the firm wrote.)

Also, the Treasury’s warnings were released a week before the G7 meeting of the financial leaders of the seven largest economies. At the G7 meeting, the countries issued a joint statement of concern about increasing ransomware attacks against the financial services sector in recent months. The G7 leaders called on all countries to implement rules to curbs criminals’ access to financial services and promised to pursue a coordinated response with information sharing and economic measures.

The OFAC rules apply to all those that may be involved in a payment to threat actors. According to those involved in these incidents, the key going forward may be making sure that all parties in the process of responding to a ransomware demand —victims, security specialists, financial institutions, negotiators, insurers, legal —notify and cooperate with federal law enforcement officials in addition to following the rules designed to prevent money laundering and avoid sanction violations.

Before paying any ransomware demand, businesses must be certain that an OFAC check has been completed.

In its client advisory, Marsh outlines additional guidance. Ransom negotiators generally may be able to supplement the OFAC SDN list with their own list of prohibited threat actors and, while this step is not specifically required by OFAC, it can offer added protection.

Finally, organizations should also seek an OFAC certification from a ransom payment facilitator after any payment is made, advises Marsh.

BaskerHosteteler experts said they do not foresee a lot of changes in the way they approach ransomware matters.

“Overall, the advisory reinforces points that we have always understood are important. Companies should rely on experts to assist with their due diligence and work with the FBI. Experience in incident response is key, and your counsel should be an informed, confident partner as you navigate this rapidly evolving area,” the firm wrote in its report on its website.