To avoid penalties for ransomware payouts, incident response pros press for due diligence

Cyber Security News

The Treasury Department in Washington, D.C. The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency operated via the U.S. Treasury. (AgnosticPreachersKid, CC BY-SA 3.0 https://creativecommons.org/licenses/by-sa/3.0, via Wikimedia Commons)

Being coerced into paying a large ransomware demand is bad enough. Having to pay a large civil penalty on top of that for transacting with a federally sanctioned cybercriminal group is even worse.

Looking to avoid such fines, incident response (IR) experts are advocating for improvements to ransomware response protocols, including additional oversight and demonstrable due diligence, while also imploring the threat intelligence community to practice responsible threat-actor attribution.

Indeed, a recurring series of questions posed at the Incident Response Forum Masterclass event on Thursday revealed that the incident response industry and their clients are still trying to find their footing six months after the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an Oct. 1 advisory warning against companies facilitating ransomware payments to groups who are on the Specially Designated Nationals and Blocked Persons List (“SDN List”) or have a “sanctions nexus.”

John Reed Stark, head of the forum and president of John Reed Stark Consulting, LLC, called the OFAC guidance “perhaps one of the most challenging strict liability statutes that exists in our states [that] scares the daylights out of everyone involved – the insurance companies, the consultants, the lawyers. No one is immune from being worried about this.”

Panelist Travis LeBlanc, partner and vice chair of Cooley LLP’s cyber/data/privacy practice, said his law firm has made certain oversight changes as a result of the OFAC guidance, in that it now brings in its export controls and economic sanctions team to consult with the cybersecurity legal team when clients are faces with a ransomware payment dilemma.

“We wouldn’t have done that before,” said LeBlanc. “Prior to that [OFAC] guidance, it would have just been all worked out by the cyber folks. But now we want to make sure that we have that extra layer of advice, because our cyber team is not an expert in export control and sanctions, but we do have a team that is.”

“We bring in our sanctions lawyers too,” added fellow panelist Chris Cwalina, partner and global co-head of data protection, privacy and cybersecurity at Norton Rose Fulbright. Indeed, “we’ve noticed a lot more sort of scrutiny or involvement, I should say, of other parties, including the insurance companies and the banks with respect to their own [OFAC] compliance checks.”

Aside from oversight, another important step is for companies and their incident response providers to show and they have performed due diligence before opting to pay a ransom.

“That’s all you can do is to… make sure there’s no red flags, and document your due diligence,” said co-panelist Edward McNicholas, a co-leader of Ropes & Gray’s data privacy and cybersecurity practice. “And if you wound up making a payment to a sanctioned party, well then you can say, ‘Hey, here’s our diligence, and I don’t think they’re ever going to bring enforcement action against a company that actually exercises some level of diligence. That would be crazy.”

In a separate session, Kaveh Miremadi, section chief of the enforcement division at OFAC, also emphasized the importance of being able to present proof of due diligence to his agency, which administers over 30 different sanctions programs.

Whenever a ransomware payment is made, companies and their incident response firms, as a mitigating factor, “should be able to document their decision-making process and the compliance steps they took, kind of in real time, said Miremadi, “so that if and when there is a situation on the back-end where the [SND list] link is confirmed and my office is investigating, you could demonstrate to me that the decisions you made at the time were reasonable.”

On the other hand, if it appears that your company ignored “prevalent red flags like public chatter, online blogs” or attributions when paying a ransomware group, then “you’re getting awfully close to” an aggravating factor, because you acted “in willful disregard of these warning signs. So having documentation of the decision-making process would be important in that regard.”

Still, Cwalina suggested that ransomware victims, incident response firms and legal consultants would all be on ever safer ground if threat intelligence firms took steps to practice more conservative, responsible threat attribution.

Especially in cases when paying one of these threat actors may be subject to civil penalties, having the correct guidance on attack contribution is critical, said Cwalina, noting that he was speaking on behalf of himself, not his firm.

“I think, very, very highly of threat intelligence… It’s invaluable in helping us respond to incidents and understanding the tactics and techniques and procedures of the threat actors and understanding what their motives are,” said Cwalina. “However… there isn’t a standard related to attribution. I’m not advocating for a standard – I think that would be too hard – but what I’m suggesting is, there’s no doubt there’s a difference among companies out there regarding how far they will go with respect to attribution they will make. And some companies are more cautious about it than others.”

Consequently, “Threat intelligence firms need to think about when they go out and make [attribution] statements and how they can have downstream effects on people who are suffering these ransomware attacks.”

And it’s not just a matter of OFAC jurisdiction – attribution or misattribution can affect your standing with insurance agencies as well. “You can get hit by an ‘act of war’ exclusion in your insurance if somebody out there says you were attacked by a terrorist,” said Stark.

OFAC is not in charge of criminal cases – such matters are separately handled by the DOJ – but civil cases are actually easier to pursue because the government’s attorneys do not have to prove mens rea win. Strict liability rules apply, meaning one must simply prove that a violation took place. Claiming ignorance that the ransomware actor you paid was on the blocked list is not a defense – not without proving substantial due diligence.

Still, Miremadi tried to reassure attendees, noting that in many ways, nothing has changed. OFAC banning doing business with foreign illegal entities is “old news,” he said. What’s new, however, is “the industry that’s risen around the incident response space with ransomware.”

“And so the advisory was written to inform this new industry, or this new-ish industry, about [OFAC’s] already existing sanctions compliance obligations.”

Addressing Miremadi, Jennifer Archie, a partner in the Washington D.C. office of Latham & Watkins, said that even if it these regulations are old news, there is “some new set of challenges specific to the setting where the cybercriminals communicate anonymous, they demand payments via cryptocurrency and they are applying criminal extortion in order to do that.”

She also inquired if OFAC’s enforcement priorities centered less on the victimized companies themselves, and more on the professional incident response services seeking to help them.

Miremadi said that “every apparent violation is handled on a case-by-case basis,” looking at the facts and circumstances involved. “But I wouldn’t read the advisory to mean that… it’s impossible for a corporation that’s been victimized to violate it. In no way does the advisory say that… And so the strict liability setting should be considered by companies in the context of their sanctions compliance programs.”

There are additional mitigating factors to be considered in these cases, said Miremadi: timely and full notification of, and cooperation with, law enforcement.

“That is something that folks should take seriously and implement as part of their sanctions compliance program when they’re confronted with this type of issue,” said Miremadi. “Don’t call law enforcement on the eve of your payment to the criminals,” or afterwards for that matter. “Give them enough time to be able to actually respond and think about the crisis that you’re facing.”

“And then cooperation… is another substantially mitigating factor that folks should think about,” Miremade continued. “We’re willing to give folks a reprieve on that front when it comes to cooperation. I leave it up our law enforcement colleagues to guide you and what they want from the folks who are involved in the incident.