The decision by multinational JBS to pay a US$11m ransom to cybercriminals highlights the dilemma corporates face: pay up and encourage more ransomware attacks or risk further disruption to their business. Those who opt to pay, however, risk falling foul of anti-money laundering and sanctions rules.
Ransomware attacks quickly bridge the gap between the virtual and the physical world. As Brazil-based JBS, the largest seller of processed meat in the world, discovered last week, an attack launched from cyber space can wreak havoc in the real world. Operations were halted, supply chains disrupted, with consumer prices potentially affected.
The company decided to put an end to the ordeal by giving into the attackers’ demands and paid a US$11m bitcoin ransom. The company’s chief executive was quoted as saying that the multinational paid the ransom to prevent any potential risk to its customers.
In a ransomware attack, cyber criminals typically disable a company’s systems – by infecting the systems with malware that encrypts all the data – and threaten to steal data, or paralyse an entire network, for example. In return for a handsome ransom, they promise to give a key to unlock the encryption, thus getting the company up and running again.
Such attacks can be particularly debilitating for companies that provide a critical service, such as hospitals where patients have to be turned away because the computer network is frozen. And, according to cybersecurity firm PurpleSec, ransomware is the number one security threat facing companies right now.
Ransom attacks have also been on the increase since the onset of the COVID-19 pandemic. The US Treasury’s OFAC [Office of Foreign Asset Control] stated in guidance in October 2020, “Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that US persons rely on to continue conducting business.”
The authorities do not encourage ransoms to be paid. The US government, however, in interagency guidance states, “After systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers.”
If corporates do decide to pay, it doesn’t always work out: “In some cases, some individuals or organisations were never provided with decryption keys after paying a ransom,” the US guidance continues. And after the ransom has been paid, the attackers could ask for more, or they could strike again. And, the guidance says, “Paying could inadvertently encourage this criminal business model”.
The US Treasury’s Financial Crimes Enforcement Network (FinCEN) commented that ransomware payments are becoming an increasing concern for the financial sector. It has taken action to discourage the payments. FinCEN states that if a consultant or agency, for example, pays a ransom on behalf of a corporate, that could be considered ‘money transmission’. And companies that do money transmission need to be registered with FinCEN and meet anti-money laundering regulations and also file suspicious activity reports.
It’s not just these obligations that ransom payers need to consider. On the same day – in October 2020 – that FinCEN issued its guidance, OFAC also issued guidelines on how such payments could be in breach of sanctions – and ultimately committing a criminal offence.
There is some good news about the outcome of ransom payments, however. In a cyber attack that occurred earlier in May, some of the ransom has since been recovered. Colonial Pipeline, which has a fuel pipeline running along the east coast of the United States, had its systems paralysed – causing chaos to anyone wanting fuel, and a hike in gas prices. The company decided to pay rather than risk further disruption and sent nearly US$5m in bitcoin to get control back. In early June the US Department of Justice said that it had recovered US$2.3m of that payment, with analysts at PurpleSec, for example, speculating that if companies cooperate with the authorities, paying the ransom can actually help catch the criminals.