North Carolina, the First State to Ban Ransom Payments
By Mark Sangster, VP and Chief of Strategy / Adlumin, Inc.
May 5, 2022
Al Capone had it right. He once said, “Prohibition has made nothing but trouble.” One hundred years on, we will see if he was right. It never stopped the rum runners—will it stop the cybercriminals?
Earlier this year, North Carolina became the first state to prohibit government agencies from paying ransoms in the wake of a cyberattack. As part of the latest 2021-2022 budget appropriations, North Carolina bars communications with adversaries and funds transfers. The law applies to agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government and other entities for which the state has oversight responsibility.
While the law applies to institutions like the University of North Carolina, it does not apply to private sector businesses. Other states are pursuing similar legislation, with New York pushing legislation to ban ransom payments across both public agencies and private businesses and Pennsylvania’s Senate approving a bill to ban the use of taxpayer funds to pay ransoms.
Congress is also considering a bill (by a representative from North Carolina) to make it illegal for financial firms to pay ransoms over $100,000 without prior government approval. This move is contrary to FBI advice to not ban payments which could result in companies facing alternate extortion tactics or hiding payments from authorities. Of course, the FBI does not officially support the paying of ransoms in response to cyberattacks.
Before considering the merit and efficacy of ransom payment prohibition, it is important to mention that US Treasury published an advisory warning of risks facilitating or paying ransoms to recipients on the Office of Foreign Assets Control (OFAC) sanctions list. I cannot complete this point without noting that the Internal Revenue Service (the largest bureau in the Treasury department) allows ransom payments (partner of a larger list of theft acts) as a tax deduction. (Play canned laugh track here.)
Should ransom payments be made illegal? Well, by their very nature, they are illegal. The question is should payment by victims be banned, prohibited, or governed?
Pro-ban advocates argue that ransoms are, after all, illegal, and banning payments would break the economic supply-demand engine that makes ransomware so profitable. This tough-love approach might cause short-term pain to unprepared victims who cannot recover without purchasing decryption keys.
Pro-pay (or choice) advocates argue that banning payments will not discourage ransomware gangs and will only leave victims helpless in the wake of costly operational disruptions. In fact, they often invoke scenarios in which hospitals and clinics are disrupted for weeks and months, patient care suffers and causes medical chaos, and payment prohibition costs lives and not just money. Their approach is the lesser-of-two-evils ethos.
Here is an insightful article on the debate.
Beyond the philosophical or political charge, it remains to see if ransomware bans will have the desired effect of diminishing ransomware attacks. Ransomware attacks continued to increase after Treasury’s saber-rattling about OFAC sanctions. It doesn’t seem the courts are clogged with cases filed against companies that paid ransoms to parties they could not verify as OFAC sanctions. That said, anecdotally, a cottage industry is popping up to conduct OFAC checks, and insurance companies will refuse coverage if payments violate Treasury regulations.
The other question is whether paying the ransom improves the outcome for the victim organization and its operations. Indicators suggest paying ransoms is simply adding insult to injury. One study that surveyed 5,000 companies found that the cost of a ransomware attack doubled for companies that paid the ransom. That same report also noted that 92 percent of ransom payers never recovered the entirety of their data and systems.
I am often asked how best a firm can avoid paying a ransom. And my answer is always this: the best way is to avoid being hit by a ransomware attack. Awareness, training, preparation, and rapid detection can stop ransomware attacks before they disrupt your business. The second-best way is a rapid response based on well-tested business continuity and disaster recovery planning. The interruptions are short, with fail-over to hot backup systems minimizing the impact.
The companies that face the to-pay-or-not-to-pay dilemma are the ones that were not prepared, thought their insurance would solve the problem or the ones that never tested their backup systems. Backup systems were designed for business continuity scenarios like power outages, floods, or fires. They were not designed with out-of-the-box resilience to withstand intentional sabotage by criminals.
Most frustrating is the oft-quoted statements that there were no signs before the attack. This inaccurate statement is misleading and absolves the affected parties of all responsibility. I am not shaming the victim here. But events like ransomware attacks are like airline accidents. It takes a confluence of many factors that culminate in an incident.
Cybercriminals are more chefs than Jason Bourne or James Bond. The sophistication in their attacks lies in the way they stage the attack and use expertise where it counts. The actual ingredients they use are well-known malware or practices, referred to as tactics, techniques, and procedures (TTPs). And ransomware disruptions require longer dwell times and multiple touchpoints within your environment. Each touch, step, file change, login, upload, and so on is another chance for you to detect their presence and do something about it before it is too late.
Adversaries combine publicly available documents and information with stolen credentials or data sold on the dark web to build convincing phishing emails and fake websites. These lures are designed to trick unwitting victims into surrendering their passwords. In the early stages, you can search for compromised credentials on the dark web, detect concurrent log-ins, impossible travel events (consecutive log-ins from two geo locations in a time frame that eliminates travel as a possibility), or failed log-in attempts when criminals hit controls like multi-factor authentication. They aren’t even in, and you can catch them checking the door locks and rattling the windows.
Assuming they gain initial access, we can catch establishing, persistent access. Unusual administrative access, bandwidth spikes, new user accounts, and other well-documented tactics give away their presence. User and Entity Behavioral Analytics (UEBA) identifies suspicious actions committed by authorized accounts and devices, and the endpoint can detect changes and flag attempted sabotage of defensive controls. And then, of course, there are beacons calling back to bad guy headquarters, payloaders, lateral movement, and a plethora of TTPs that give away malicious activity.
There were plenty of signs. Post-event, your insurance company will find them, or their appointed incident response firm will. So, pretending there were no signs won’t help. As I say, ignorance is not bliss—it’s potential negligence or liability.
So why do ransomware attacks go unnoticed if there are so many early signs of compromise? Simple. Most companies don’t know where to look in the shadows to find the indicators. What you can’t see poses the most significant risk. Between the cloud, hybrid networks, and the darknet, there are countless gaps where threats can hide. Most companies are in the dark regarding what is happening in their environment. And no one likes to be in the dark alone.
That’s where Adlumin comes in. We illuminate threats to eliminate the risks. We illuminate threats that would have otherwise gone unseen with powerful automation that enables rapid action and continuous compliance. And our platform is backed by an expert team delivering human insights and trusted support.
That might sound like marketing (and it is) but is more than a well-honed tagline. I have been in the cybersecurity business for over 25 years, and I helped define Managed Detection and Response. I’ve seen nation-state attacks, rampaging ransomware gangs, and clever criminals take down companies of all sizes.
I joined Adlumin because they get it. They know where to look and how to respond to protect their customers. And I am proud to represent the experts who develop our products and analysts that work in our security operations centers. They face these sophisticated adversaries every day and stop their attacks before they shutter our customer’s operations.
There are ways of stopping ransomware attacks before you need to consider paying extortion fees or crossing regulatory lines. You can stop attackers before they stop you.
Will prohibition work for ransomware payments when it has failed to control alcohol and narcotics use and distribution? If we ask the pundits, the answer is no. The Nobel prize-winning economist Milton Friedman once likened prohibition to making water run uphill.
While payment ban legislation and bills line up like planes on final approach at a major airport at Thanksgiving, pragmatism and market pressures will decide the matter. As insurance coverage decreases, claim denials increase, and (fingers crossed) companies invest in cybersecurity strategies that reduce their risk, the efficacy of ransomware will erode, and criminals will find a new tactic.