Power in Numbers: Collaborating to Fight Ransomware


Ransomware is one of today’s biggest business risks, with one recent study reporting a 435% increase in ransomware events in 2020. In 2021, we have seen record-breaking ransoms and attacks on the nation’s supply chain and infrastructure. Yet collaboration between victims, the federal government, and the cyber insurance industry may be helping turn the tide on this digital pandemic.

Recent guidelines from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) may be helping remove the stigma associated with reporting ransomware attacks, giving cybersecurity leaders greater insights into the tactics, techniques, and procedures of ransomware gangs. The Justice Department is then using this information to launch new offensives aimed at reducing the financial incentives of ransomware, while cyber insurers are offering coverage and services for the digital forensic investigations that support both.

In October 2020, OFAC published its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which reminds businesses that ransom payments to individuals or entities in sanctioned countries, or to those listed on the Specially Designated Nationals and Blocked Persons list, can result in severe civil penalties. Even if a victim is not aware that it is engaging in a transaction with a prohibited entity, it can still incur civil penalties of up to $20 million. A willful payment to such an attacker can even result in prison.

Unfortunately, ransomware attackers deliberately hide their tracks. Companies need data restored quickly to sustain critical and even life-supporting infrastructure. This leaves victims faced with the unenviable decision of paying a ransom and potentially incurring severe fines and legal costs or suffering life-threatening (sometimes literally) downtime and even the release of personally identifiable information.

However, OFAC will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.” By incentivizing companies to report ransomware attacks rather than deal with them privately – and without assistance from authorities – law enforcement gains irreplaceable insights into ransomware gangs. This intelligence can then inform and prepare others.

In late March CNA Financial Corp. paid a record $40 million following a ransomware attack. In a statement, however, it highlighted its cooperation with the FBI and OFAC. Together with the authorities and cybersecurity experts, CNA determined the attackers were likely not a sanctioned group – even though the malware was similar to code created by now-sanctioned Evil Corp. While paying a ransom is always a case-by-case decision, CNA could at least feel confident they would not face penalties if they did make a payment, and investigators learned more about a new malware strain known as Phoenix Locker.

Greater transparency into ransomware attacks not only protects victims from potential legal or regulatory liability and the economy from systemic risk, it also gives authorities greater weapons to fight cybercrime. Prior to paying $4.4 million in May to restore service to its oil and gas pipelines, Colonial Pipeline consulted the FBI’s Atlanta office and was then referred to their California “center of excellence” for ransomware.

Within a month of the ransom payment, the Department of Justice announced that its recently launched Ransomware and Digital Extortion Task Force had recovered the majority of the Bitcoin used by Colonial to pay. The seizure marked the first such operation and demonstrates the potential for the government to go after the digital currency ecosystem that fuels ransomware attacks.

Hackers favor the anonymity and security of cryptocurrencies, which can only be accessed with a digital key. In this case, the task force traced the ransom payment to a Bitcoin wallet and was able to obtain the key to confiscate the funds. While the DOJ has not revealed how it got the key, the cooperation of Colonial and other victims, as well as the cryptocurrency exchanges themselves, is clearly something authorities value in their pursuit of cybercriminals.

Of course, investigating a cyberattack and communicating properly with authorities can be expensive and complicated. Fortunately for businessowners, cyber insurers provide forensic, legal and financial resources to help determine the best response to a ransomware attack. Many remediation providers utilized by insurers employ former law enforcement personnel, regulators, and security vendors to help explain to investigators not only the due diligence that justified payment, but the financial duress that motivated it. By notifying their carrier and the authorities after a breach, cyber insureds can efficiently and effectively protect their business, comply with regulatory bodies, and aid in the global fight against ransomware, all at the same time.


Get the good stuff

Get regular hits of insurance inspiration delivered to your inbox.

Meet the Nation

They are the trail-blazers and the member supporters who selflessly share all they have learned with our community. Say hey to the fam and check out their contributions to Agency Nation!
Share This