Organizations attacked with ransomware have a multitude of decisions to make, very quickly! One of those decisions is whether to pay the ransom. Earlier this year, I had the honor of contributing to a two-part series, titled Ransomware: To pay or not to pay? (Part 1 and Part 2). Joined by Danielle GardinerCPA, CFF, SVP of Lowers Forensics International, and Shiraz Said, VP, Cyber Risk Product Leader at Arch Insurance Group, we’ve explored a series of considerations that organizations need to take into account when making this momentous and potentially very difficult decision. A new law in North Carolina makes that decision much easier for some public sector entities in the state — they can’t pay.
North Carolina Appropriation law for current operations of 2021 added a new article to Chapter 143 of the General State Statutes which now reads in part:
“No state agency or local government entity shall submit payment or otherwise communicate with any entity that has engaged in a cybersecurity incident on any information technology system by encrypting data and then then offering to decrypt this data in exchange for a ransom payment.
If a state agency or local government entity becomes the subject of a “ransom demand” in connection with a cybersecurity incident, it should consult with the state Department of Information Technology. These rules apply to the following entities:
- State Agency – Any agency, department, institution, board, commission, committee, division, bureau, officer, functionary, or other entity of the executive, judicial, or legislative branches of state government. The term includes the University of North Carolina and any other entity for which the state has oversight responsibility.
- Local Government Entity – A local political subdivision of the state, including but not limited to a city, county, local school administrative unit as defined in GS 115C-5, or community college.
Double extortion ransomware the attacks pose an interesting problem within the framework of this law. These attacks are more sinister because they do more than just encrypt the victim’s system and demand payment in exchange for a decryption utility. They also exfiltrate data from the victim’s systems, threatening to leak it onto the dark web unless the attacker receives a ransom in exchange for a “promise” to delete and not leak the data.
It’s unclear whether North Carolina law achieves this second extortion in double-extortion ransomware attacks, but its ban is consistent with the Federal Bureau of Investigation’s position; FBI does not support paying ransom in response to ransomware attack. But when the possibility of payment is on the table, organizations should be aware that simply making payment could put them in legal danger.
As stated in Ransomware: To pay or not to pay? – Part 2:
“The primary basis for this legal danger is that under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), U.S. persons who transact with certain listed organizations may expose these individuals to significant penalties. Specifically, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals and Blocked Persons List (SDN List) , in addition to other blocked individuals. A cryptocurrency transaction with any of these entities may result in the victim’s ability to regain access to their systems and data, but could subject the organization to OFAC app.
In its latest set of guidance on this issue, on October 1, 2020, OFAC issued the Opinion on the potential risks of sanctions to facilitate ransomware payments (Advisory). The notice makes it clear that entities involved in facilitating a ransom payment may have done so in violation of OFAC regulations, subjecting them to enforcement action and fines. This risk is increased by the difficulty of determining who is on the other side of the Bitcoin transaction.
The notice highlights these concerns, while noting that certain actions before and after the breach could mitigate exposure to OFAC. Implementing a “risk-based compliance program” prior to a breach and promptly filing a “full report of a ransomware attack to law enforcement” after an attack can, according to the notice, mitigate law enforcement.
OFAC compliance may not be the only regulatory hurdle to overcome if the momentum shifts in favor of payment. In the summer of 2021, following a series of massive ransomware attacks, including the Colonial Pipeline attack mentioned above, four states have proposed legislation that would prohibit ransom payments. These efforts have been unsuccessful to date, but organizations must consider regulatory limitations on ransom payments as privacy and cybersecurity laws rapidly evolve.
Ransomware attacks can affect any organization, large or small. It is critical that organizations do more than just harden their systems to prevent such attacks. They should also strengthen their preparedness in case of an attack. This involves thinking ahead about the organization’s approach to whether or not to pay a ransom.