Rapid advancements in the manufacturing industry have allowed companies to increase throughput on their production lines, reduce unplanned downtime, and manage connected assets with increasing precision.
As manufacturers consolidate legacy systems and manual processes through smart manufacturing initiatives, the new digitally connected workflows have attracted criminals. Hackers have focused on these new targets with plans to make quick money using disruption from ransomware.
Facilitating a ransomware payment enables criminals and U.S. adversaries to profit and advance their illicit agendas. Due to the increase of criminal activity from sanctioned adversaries, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an advisory. Collaboration with Federal agencies to determine if ransom payments violate OFAC regulations is strongly encouraged.
Funding Criminal Activities
For years, businesses impacted by ransomware were encouraged to begin the sometimes long recovery process or consider paying the ransom. Federal law enforcement has requested for years that victims of these malicious attacks inform Federal agencies and resist the urge to pay the ransom. As companies continue to seek more immediate pain relief by paying the ransom, Federal agencies have now recommended what could become new laws regarding future business practices.
What are these changes, and why are they needed? Let's find out.
Backstory About Ransomware
Ransomware continues to be one of the top business threats since 2015. As the name suggests, ransomware is a specialized form of malware that prevents users from accessing data on computers, servers, and networks. For unprepared leadership to regain access to their data, they have to pay a ransom with cryptocurrency, typically in Bitcoin.
In many cases, these ransomware attacks come from Nation-State actors who target U.S. businesses for profit and damage. Companies with a proper business continuity plan will quickly recover and continue revenue-generating operations.
Why do companies pay the ransom?
Even with the recommendation from Federal agencies to not pay, many businesses still pay the ransom. In a recent study from ProofPoint, 33% of organizations that experienced a ransomware attack opted to pay for the decryption key. But why would stakeholders of successful businesses opt to pay the criminals who initially hurt them?
The three common reasons leadership teams pay the attackers are to reduce downtime, limit the incident's exposure, and the business has no other means to recover.
Whenever a ransomware event occurs, the affected business has to evaluate its options. They could go through an entire process of notifying their IT team or IT service provider, calculating the cost of damages, and performing the necessary steps to hopefully recover or pay the ransom and receive the decryption key. While this process would seem to be the quickest solution, there is no guarantee of receiving a decryption key.
While 70 percent of the businesses that reported paying for the decryption key did have their files decrypted, the other 30 percent were not as fortunate. Of those that paid the ransom, 22 percent reported not receive any decryption keys, while another 10 percent received instruction to pay a second ransom. Due to how sensitive business is to downtime, mere hours can cost thousands of dollars in damages.
Companies and cyber insurance providers have to calculate and compare the cost of paying the ransom for the decryption key versus the cost of damages and expenses needed to reload or replace machines and equipment.
Putting a Lid on Reputation
Imagine that you are a stakeholder of a well-known U.S. manufacturing business. The business reputation for quality products, on-time deliveries, customer service, and digital trust improves your sales and margins. Numerous direct and indirect stakeholders expect you to be less risky than your competitors. This earned reputation facilitates growth.
Late one night, you start receiving texts and phone calls. Each message states the same urgent plea for help because your business is at a standstill due to ransomware. Your priority is to understand how bad the incident is, the extent of breached and compromised data, and how quickly you can recover.
Knowing that the longer you cannot produce products or accept and ship orders, you will miss commitments and stand to lose future orders and contracts. You want to keep this quiet and make it go away. You begin to rationalize paying the ransom.
Surprisingly, many small and medium-sized businesses opt to pay the ransom. According to Security Boulevard, 53% of the surveyed SMB's that would consider paying the ransom would do so to protect their company's public image for data security. One such manufacturer paid a $150,000 ransom and did not involve federal authorities.
Another reason businesses refrain from reporting these incidents is to minimize the incident notification costs. When companies work with sensitive customer information, they may have to cover the costs to prevent damage to their customers while also paying fines related to the breach.
No Other Means to Recover
A common reason companies pay the ransom is that they have no way to continue business operations. Manufacturers that do not have a tested data recovery process or business continuity plan do not have a reliable means to recover. This situation places business leaders in a position where they may have to permanently close the business if they do not pay the ransom.
It is understandable why small and mid-sized manufacturing companies outsource system security and data backup services to a third-party provider. It is easier to delegate this responsibility, so business leadership commonly assumes that the IT services or managed services provider (MSP) performs the backups and keeps the systems secure. This false sense of confidence leads the management team into risky behavior. They do not verify the effectiveness of their service provider, and they often regret it.
Many business executives are also unaware that MSPs are direct targets for funneling ransomware attacks to their customers. Yes, you read that correctly. MSPs are an increasing cause of ransomware events for the businesses they are contracted to secure.
Businesses that outsource their backup services should regularly test the services you are paying monthly to meet the recovery expectations promised. Doing these regular tests also forces MSPs to be accountable for their actions if they fail to meet your expectations.
Why report the crime?
The October 1, 2020 advisory from the OFAC guides companies who negotiate or facilitate payments on behalf of ransomware victims. This advisory applies to "companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response."
Whether intentional or not, paying the ransom to sanctioned organizations can have legal repercussions, including fines that can cost $20 million. If a business has no other option but to pay the ransom, the OFAC has stated that they would consider "a company's self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus."
Victoria Beckman, Co-Chair Privacy & Data Security of the law firm Frost Brown Todd said. "While the intention of the advisory is understandable, in practice, it adds another layer of risk to a company that is already dealing with a ransomware attack and its costly consequences. Now, the decision of whether to pay the ransom has to be made in light of potential sanctions. One of the most effective ways to avoid being in this catch-22 situation is to be prepared, and as the advisory states, "implement a risk-based compliance program to mitigate exposure to sanctions-related violations." Being proactive in cybersecurity, training employees, implementing incident response plans and business continuity processes that include backups is now more important than ever to mitigate the risk that a company will be forced to pay a ransom."
Are you confident in your response to ransomware and your documented ability to recover? Statistically speaking, you have weaknesses. Developing a response plan during a downtime event is not very effective in minimizing disruption. Certitude Security® firmly believes that calculated planning and prevention reduces business disruption and cause less financial burden than a prolonged recovery.
You can learn from mistakes other executives made trusting their MSP to secure their businesses from disruption, financial loss, and reputational damage.
As a proud supporter of American manufacturing, we offer services to improve your understanding of current security levels, pinpoint the gaps, and evaluate how well your outsourced IT service provider fulfills their contract requirements.
We are working diligently to inform leaders and facilitate essential asset protection priorities for manufacturing businesses throughout the United States. If you are interested in learning about the empowerment services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today.