Is it legal to pay a ransom?

Everyone hates the “consultant’s creed” answer of “it depends” but in this case it really does. Depending on your state, type of business, number of affected users, and group believed to have breached your security you may have different laws to navigate.

For example, North Dakota Century Code Chapter 54-59.1 states:

“An entity shall disclose to the department an identified or suspected cybersecurity incident that affects the confidentiality, integrity, or availability of information systems, data, or services.” Cybersecurity incidents required to be reported to the department include:

• Suspected breaches.
• Malware incidents that cause significant damage
• Denial of service attacks that affect the availability of services;
• Demands for ransom related to a cybersecurity incident or unauthorized disclosure of digital records;
• Identity theft or identity fraud services hosted by entity information technology systems
• Incidents that require response and remediation efforts that will cost more than ten thousand dollars in equipment, software, and labor
• Other incidents the entity deems worthy of communication to the department.”

I have emailed the North Dakota State Attorney General’s office for some clarification on this matter. I will update the post when I receive more information.

Currently, North Carolina, New York and Florida prohibit state agencies from paying a ransom.

Additionally, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has warned against US persons from facilitating ransomware payments. Paying the ransom often encourages more activity and you may also risk violating OFAC regulations.

“OFAC may impose civil penalties for sanctions violations based on strict liability. This means a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

Source: https://ofac.treasury.gov/recent-actions/20201001

An open-source project has created a map to keep track of various states laws and regulations: https://isitlegaltopay.com/

Be prepared – planning

Educate your employees – Your employees are your first, last, and maybe best line of defense against security incidents. Therefore, one of the best investments you can make is to train them on what they should and shouldn’t be doing and encourage them to notify IT if something is amiss. At the same time, do not treat them like children. The quickest way to drive your end users to work around your security controls or hide potentially bad things is to develop a culture of fear and punishment.

Understand your environment and data – Knowing what data is important and where it lives is critical during recovery. If everything is on one server that’s easy, but if your data is spread across multiple servers and applications, things can be more complicated. It’s important to know where your data lives and its value to the company. This will help you prioritize its protection and recovery.

Store incident response plan off-network – It’s hard to open an incident recovery plan if it’s on the server that is encrypted or on a cloud drive if you have turned off the internet. Keeping a copy offsite, knowing where it lives, keeping it updated, and having it available when you need it is vital to a successful recovery.

Have a communications plan – If you have been breached, you need to assume the attackers are monitoring your internal communications. You need to assume that your messaging platform(s) and email server are compromised and use an out-of-band communication plan. Using new external email accounts (Gmail, Outlook, Proton Mail, etc.) will keep everyone on the same page and your communications private.

Know your cybersecurity insurance and law enforcement contacts – Don’t make the first time you reach out to your cybersecurity insurance company and/or local law enforcement be when you are in the middle of an incident. Reach out ahead of time and make sure you have the correct contact information, and they have your information. This way in the case of an actual incident, initial contact is smoother, and you can begin working more quickly.

Consider cybersecurity IR service retainer – Cybersecurity companies are now offering their services on retainer. The benefit for you is you’ve secured a company’s services at a set rate, and that company will be better prepared to help you. If you don’t have an incident response team on retainer, you will need to contact one, describe the situation, agree to a scope of work, get the contract signed, and all of that takes time. Also, make sure whomever you use for your incident response work is approved by your cybersecurity insurance company or you may end up paying for that bill yourself.

Complete a risk assessment – Hire a company to help you assess your cybersecurity risks or complete a self-assessment. Learn where you are doing well and where you need to improve in your security practices. This way you know what security projects you should be prioritizing.

Be prepared – technical

Follow good security guidelines: CISA, CIS, NIST CSF, etc. – You don’t have to build your security program from scratch. There are several security frameworks publicly available that you can borrow from. I’ll admit they aren’t page turners, but they do provide actionable steps to improve your security. Another benefit of using well-known security frameworks is sometimes it’s easier to get policies and projects approved if government agencies names are listed on the supporting documentation.

Implement multi-factor authentication – You’ve probably heard this advice, but have you done it? All administrative portals should have multi-factor authentication. Your Microsoft 365 users need it too. We get customer tickets every month for compromised email accounts. This can lead to ACH (Automated Clearing House) fraud that, in many cases, results in thousands of dollars of losses. Multifactor authentication is included in Microsoft 365 plans, and you need to use it.

Monitor vulnerability lists – Waiting for a forensics report to tell you that you have known and actively exploited vulneraries is too late. Being aware of what vulnerabilities affect your technology (software and hardware) is critical. A reliable source for new vulnerabilities is the Cybersecurity & Infrastructure Security Agency (CISA). CISA monitors vulnerabilities and if they are actively exploited. On their site, you can sign up for vulnerability and security emails or RSS feeds that will help you monitor vulnerabilities affecting your technology.

Update your systems – Software and hardware patches and upgrades fix bugs and security vulnerabilities (everyone knows this). Keeping up with everything that needs to be patched is exhausting. That’s why you need a plan. Start with simple rules:

1. Patch externally facing devices as soon as possible
2. Remote code execution (RCE) vulnerabilities are patched first (especially if externally facing)
3. Critical vulnerabilities (CVSS score 9.0 – 10.0) get applied within 24 – 48 hours
4. High vulnerabilities (CVSS score 7.0 – 8.9) get applied within 7 days
5. Other vulnerabilities (CVSS score 0.0 – 6.9) are applied during normal product patching

Filter internet egress traffic – This one is easy to overlook. Everyone has firewall rules that only allow specific inbound traffic, but what about outbound? Uncontrolled egress traffic can make it easy for a bad actor to download anything they need and upload anything they want. Controlling what goes out of your network is as important as what comes in.

Follow 3-2-1-1-0 backup strategy – Try to follow the modern backup strategy 3-2-1-1-0. Three copies of your data, on two different pieces of hardware, one that is offsite, one that is immutable, with zero failed backups. This is a lofty goal but one that may save your bacon one day.

Test your backups – Just because your backup jobs are successful, it doesn’t guarantee they contain all your data or that you know all the quirks that may be involved in restoring your environment. Practice makes perfect. Backups should be tested annually, preferrable with a full restore test if you have the capabilities.

Resource links

CISA Tabletop Exercise Packages | CISA

Incident Reporting System | CISA

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (treasury.gov)

Computer Crime Statutes (ncsl.org)

Incident Response Plan Template | FRSecure

Ransomware Response Playbook | FRSecure

Interactive Map of Countries that Will Allow You to Pay Ransomware or Extortion Demands (isitlegaltopay.com)

Wrap-up

If you attended the session at nVision, I hope you found it interesting, and this blog gives you some ideas on how to improve your cybersecurity posture. If you missed the session and are interested in viewing it, check out the full recording in this blog or on our YouTube channel.

As always, I appreciate it when anyone comes to any of my sessions, and I hope you found it useful and entertaining. If you have feedback on the session or ideas for future presentations, send me a note.

And for anyone curious, the wrapped giveaways were reprints of the original Choose Your Own Adventure books, not vegan cookbooks. That would be mean. 🙂