Ransomware attacks have become a fixture of U.S. business. They are far more common than publicly reported, and the consequences can be severe. Despite the Federal Bureau of Investigation’s (FBI) success in recovering some of the ransom paid by a pipeline operator after the payment had moved through at least six other bitcoin wallets, there is no guarantee that future victims will be successful in recovering the ransom money. The bad actors are not going to stop anytime soon.
So, what is a company to do? Until a company faces the reality of a ransomware attack, it is easy to believe that you never will pay the ransom. In fact, federal government agencies such as The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security (DHS) and the FBI explicitly advise ransomware victims not to pay the ransom because it rewards the bad actors and encourages future attacks. That may have been the initial view of victims of recent high-profile ransomware attacks, but when confronted with gas shortages along the east coast and a shutdown of several major meatpacking facilitates, each concluded that it was best to negotiate and pay the ransom.
The change in views is even quicker when the victim is in a hospital or other business where the damage is quick and can be irreparable. In 2019, at least two medical facilities, Brookside ENT & Hearing Services and Wood Ranch Medical, permanently shut their doors as a result of ransomware attacks.
Paying the ransom is not as easy as you might think. It is not as simple as providing wire transfer instructions to a bank and getting a confirmation number 30 minutes later that the money has arrived.
Instead, it involves sending bitcoin from a bitcoin account. Opening a bitcoin account is not hard — over 100 million investors have done it — but the entities that hold and transfer bitcoins, such as Coinbase, eToro, and Gemini, are subject to the “know your customer,” or KYC, rules, and their compliance with those rules can take from several hours to a day or two. And Coinbase’s website states that it may take 3-5 business days (which could be 7-10 actual days) before an account is funded through an ACH transfer of U.S. dollars from a bank account to a Coinbase account. That delay is the last thing that a company wants when it has made the decision to pay the ransom in exchange for the encryption key.
By contrast, once an account is open, adding to it generally is as easy as sending a wire transfer. As a result, despite a company’s belief on how it would respond in the event of a ransomware attack, companies should consider opening a bitcoin account with a nominal amount of bitcoin in it so that it is at least is prepared to timely make the tough decision should the need arise.
Alternatively, you may want to consider engaging a ransomware response vendor, which already has access to a bitcoin account, along with a database of prior payments to help you negotiate the best result.
Does paying the ransom fix all of a victim’s problems? Maybe not.
It may take several months or even years to restore the compromised systems, which is why it makes sense to have a business continuity plan for critical business functions ahead of time.
The length of recovery time underscores the reason why a company should already have bitcoin immediately available. Although insurance coverage is available for ransomware attacks, insurance exists to reimburse companies for their losses — the insurance companies are not going to pay the ransomware on behalf of the insured within 24 hours.
In fact, as a result of the increased incidents of ransomware attacks, purportedly 304 million attacks in 2020 alone, insurance premiums for ransomware attacks have substantially increased. Insurance companies may look to deny or reduce claims based upon a company’s failure to mitigate its damages by having a bitcoin account readily available to pay a ransom and expeditiously receive a key to restore its systems. How much bitcoin is needed? Not a lot, as a single bitcoin can suffice as a starting point, but at least something.
In addition to having access to a bitcoin account, companies should have written compliance and business continuity policies and training in place in the event of a ransomware attack. The compliance policies should, at minimum, remind the decision-makers that while the act of paying the ransom to the bad actor is itself not unlawful, the company (or the ransomware response vendors hired by the company) must contact the Department of Treasury to make sure that the bad actor is not on the OFAC sanctions list because paying ransom to anyone on that list is a federal crime. Companies should also use the literature disseminated on the FinCEN, CISA, DHS, and the FBI websites as guidance.
Recent high-profile ransomware attacks instruct private entities not to wait for or rely upon the federal or state government to resolve the existing and future damage arising out of ransomware attacks. Indeed, U.S. Senator Gary Peters of Michigan stated that “private entities, especially those that are critical to our nation’s infrastructure, are responsible for assessing their individual risk and investing in the technology to prevent breaches and to ensure that they can continue to provide service to customers who rely on them for basic necessities like fuel.”
Representative Carolyn Maloney, Chairwoman of the House Committee on Oversight and Reform, recently sent a letter to the CEO of JBS Foods USA stating that the attack has increased consumer costs for beef and “[a]ny ransom payment to cybercriminal actors like REvil sets a dangerous precedent that increases future risk of ransomware attacks.”.
As “cybercriminal actors” become more sophisticated, it will be harder to prevent the damaging breaches that Senator Peters mentioned or the increased costs to consumers that Chairwoman Maloney mentioned in her letter. That is why every company should be proactive and implement numerous controls, including access to a bitcoin account.