Banning Ransoms: The Evolving State of Ransomware ResponseAlso: Hiring Employees in Wartime and the Need for Clarity in Crypto Regulation Anna Delaney (annamadeline) • September 1, 2022 16 Minutes
The latest edition of the ISMG Security Report explore the possible unintended consequences of banning ransom payments, the challenges of opening a cyber intel firm during wartime, and the need for more clarity in the regulation of cryptocurrency firms.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss whether the decision by lawmakers in two U.S. states to ban local and state government agencies, and sometimes schools and universities, from paying ransoms will create more problems than it solves;
- ISMG's Jeremy Kirk describe the challenges that Alex Holden of Hold Security faced and continues to contend with in deciding to open a branch of his cyber intel firm in Ukraine during wartime;
- Ari Redbord, an ISMG contributor and legal and government affairs lead at the blockchain analytics firm TRM Labs, outline the need for further clarity from regulators following the sanctioning of cryptocurrency mixer Tornado Cash.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Aug. 18 and Aug. 25 editions, which respectively discuss how ransomware groups' shakedown tactics are evolving and whether ransomware-as-a-service groups are in decline.
Anna Delaney: The unintentional consequences of banning ransom payments and the challenges of opening a cyber intelligence firm during a war. These stories and more on this week's ISMG Security Report.
Delaney: Hello, I'm Anna Delaney. Ransomware attacks continue to pummel organizations. What can be done? What should be done? Lawmakers in two states have responded by banning local and state government agencies, and sometimes schools and universities from paying ransoms. Is this a good strategy? Or does this create more problems than it solves? To discuss, I'm joined by Mathew Schwartz, ISMG's Executive Editor for DataBreachToday and Europe. Matt, who's been banning ransomware victims from paying a ransom?
Mathew Schwartz: Anna, two such laws are already on the books in the United States, in effect in May in North Carolina and July in Florida. North Carolina's law is a bit stricter. It applies to state and local government agencies as well as public schools, community colleges and universities. It also requires all such victims to rapidly report ransomware attacks to the state's IT department to consult with the state IT experts. Interestingly, the law doesn't just prohibit paying ransoms but communicating with attackers in any way. I think we'll get back to that in a moment. Now, the other law that's on the books so far is in Florida, and it doesn't ban communicating with attackers. It also appears to exclude public school districts and universities from the list of entities that are prohibited from paying. For example, legal experts who have been tracking these moves. Other states are considering similar strategies. Pennsylvania Senate in January, for example, passed a bill, which the State House has yet to vote on, which would ban taxpayer-funded agencies and organizations from paying a ransom. Other similar laws are also being considered at Arizona, New Jersey and Texas. In New York, there's a proposed Senate Bill, which would prohibit government entities, as well as business entities and healthcare organizations from paying a ransom in the event of a cyber incident, or a cyber ransom or ransomware attack. As a result, even a private hospital or a financial services firm would be covered. For some firms hit by ransomware, experts tell me it can be "pay or the business dies." That can be a result for some patients if healthcare is hit, and vital critical services are disrupted. There could be a real impact from these laws. I'm not sure lawmakers have considered this before moving these bills along.
Delaney: The question is, will banning ransoms take a bite out of cybercrime? Or is this a misguided attempt by lawmakers to be seen to be doing something?
Schwartz: That is a question, isn't it? Are lawmakers doing something that is going to help? We have a massive history of failed legislation. CAN-SPAM being one of my favorites, passed in the United States to ban spam. It's 2022 and spam is no longer a problem, thanks to this innovative law that got passed. There's a propensity by lawmakers to pass laws to ban things. Unfortunately, they always seem to have gotten the criminal element on board with their plans when they do these sorts of things. I spoke to multiple experts about these laws. I said, is there any good that can come out of this? Or could there be a lot of unwanted unintended consequences? These experts universally agreed that these are a bad idea, these laws. You're going to have no effect. Criminals don't care if you've banned ransom payments. They're going to continue to attack organizations. The way they work is, that they typically hack their way into any network they can find it looks interesting, and belatedly figured out who owns it. If it happens to be a local or a county government, say in Florida, they're not going to avoid that. They're just going to crypto lock it anyway. By banning the ability of this county government, in this case, to pay a ransom, lawmakers are tying the network defenders' hands behind their back. There are numerous instances in which attackers have furnished a free decryptor. For example, if they hit a healthcare organization, this isn't ideal. They'll still crypto lock systems, but in some cases, this decryptor can help organizations get back up on their feet or ransomware negotiation firms may identify exactly what attackers have fit. This can inform how incident responders go about trying to get the victim back up and running again. If it's been a relatively small number of systems that were hit, for example, there might not be that much time or effort involved. One of the best examples I can think of offhand is Conti, which in May 2021 hit Ireland's National Health Service. A lot of bad press resulted and Conti said, "Oh, we never mean to hit healthcare." So they furnished a free decryptor, and Ireland took that. They had to roll out the army in order to get the decryptor working on all the different endpoints that got hit. But with that decryptor and $48 million in cleanup costs, Ireland eventually got back up and running again. If they hadn't had the decryptor, the bill would have been even higher. That's another takeaway here. By banning ransoms potentially, ransomware attacks that are successful are going to end up costing taxpayers more money. We can debate the ethics of paying, but we should also highlight that this strategy will likely lead to taxpayers having to pay more money to help state, local and other public entities recover from ransomware attacks.
Delaney: Matt, is this the first time to your knowledge that we've seen such bands come into effect?
Schwartz: Yes, definitely, at a state level. We've seen the federal government ban ransom payments if it's a sanctioned entity. So you can't send them money for any reason, including if there's ransomware involved. But in terms of just a blanket ban, security experts have been debating whether this would be a good thing or not, for a long time now. If you can take away the flow of funds to criminals, they're going to need to look elsewhere. But again, the unintended consequences of banning ransoms, could be severe, could be business-ending, hopefully not life-ending in terms of healthcare organizations. But certainly, do you want to even have that be a possibility? It's very fraught and I think it'll be interesting to see what happens in these states, and how these laws perhaps get tested in court. If organizations feel that their hands have been tied, and they're not able to respond in the way that they need, both in terms of patience, and perhaps in terms of shareholders. We'll see what happens.
Delaney: We'll see what happens indeed. Thank you as always, for your insight, Matt. This has been great.
Schwartz: Thanks, Anna. Always a pleasure to talk ransomware.
Delaney: What's it like to open a cyber intelligence firm during wartime? Alex Holden, CISO and founder of Hold Security, spoke with ISMG Executive Editor Jeremy Kirk, about his decision and the challenges he's been facing in the process.
Jeremy Kirk: Alex Holden is CISO and founder of the cyber intelligence company Hold Security. He was preparing to open an office in Ukraine when Russia invaded in February. He went ahead with his plan anyway. Why would Holden do this, knowing that at any moment Russia could start launching long-range missiles and shells? He'd already picked the person who would head the office and after the invasion was underway, she got in touch with him. Here's Alex:
Alex Holden: This person called me and she said, "Well, we're going to do this one out." It was less than 100 hours since the beginning of the war. We made a very simple decision, say, "Hey, we're going do it."
Kirk: Alex was born in Ukraine. He left with his parents not long after the Chernobyl nuclear disaster in 1986. He first stayed in Moldova, then his family was admitted to the United States and he moved to Milwaukee, Wisconsin, around 1989. Holden eventually founded Hold Security. It specializes in threat intelligence, risk management, penetration testing and incident response. Holden has uncovered some of the biggest data breaches over the last decade, including Adobe Systems, JP Morgan and Target. Last November, he went to Ukraine for the first time since he left more than 30 years ago. "The country had vastly changed," he says. It had been tackling corruption. It has stepped up its fight against cybercrime and had conducted raids against suspected cybercriminal extortionists and ransomware operators. It was the right place to set up an office to supplement Hold Security's European headquarters in the Czech Republic.
Holden: We sold this bright light ahead where we can actually bring in a Ukrainian office with the support of the local government and with the support of local laws in order to fight cybercrime more effectively. We were invigorated by Ukrainian culture that was resilient and dealing with the war with Russia for eight years at the time.
Kirk: Hold Security has contributed money to help the country but it's also helping with employment. His company has hired more than 20 Ukrainians and is training most of them to become threat intelligence analysts. Others work in software development. The move provides jobs for people at a critical time. Some are working at the company's Czech office, while others are in Ukraine.
Holden: We found a lot of great people who did not have abilities, some of them to go and pick up a gun and fight for the country. But they have the ability to do this in cyberspace: to defend their country, defend them against cybercrime, defend the community because Russia is not only attacking Ukraine today, it's attacking the world in cyberattacks of unimaginable proportion.
Kirk: It has not been easy. His company has had to navigate a host of HR issues that it and likely most companies out there have never faced: people fleeing war. "One employee even had a family member who was captured by the Russians," Alex says.
Holden: We got people to start moving to our Czech offices, almost immediately at the beginning of the war, providing them safe passage. We spent sleepless nights helping and making sure that people get safely across the border. The border is not a treacherous place, but it's a complicated place. People have to get there safely and get through Europe. For some people, we had to figure out how to get them money for gas to travel from the border to our Czech offices. These are not simple things. Then when people are coming, where they're going to stay? Initially hotels. Yes, that's easy. But some of them have families, some have animals and we said, "Okay, you guys need to keep your family dynamic. Your pets and everything, they all have to be safe."
Kirk: I spoke with Alex on Ukraine's independence day last week. He says the country he remembers as a child has long gone, but he remains positive about the future.
Holden: I sincerely hope that this Independence Day for Ukraine, unfortunately coinciding with six months of war, would be a turning point. It's not to me as much about victory as about peace and getting back to normal. Getting Ukraine back as a whole.
Kirk: For Information Security Media Group, I'm Jeremy Kirk.
Delaney: In early August, OFAC sanctioned currency mixer Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. The move has drawn criticism from leaders in the crypto industry. They say they're not sure what they need to do to stay on the right side of the law. On our latest episode of Sound Off, I asked Ari Redbord, a former Treasury Department's senior advisor and now the legal and government affairs lead at the blockchain analytics firm TRM Labs, where he'd like more clarity from the regulators.
Ari Redbord: I think what is definitely fair is that the crypto industry, the crypto economy, is in need of guidance here from regulators for a number of reasons. One, I think it's pretty clear to anyone who thinks about these issues that regular users who have had inadvertent or unsolicited transactions with sanctioned addresses are not going to be the target of enforcement actions by OFAC. For example, we've seen what we call these dusting attacks, where people have sent small amounts of crypto to known, famous individuals; people whose addresses are known to make a statement. Now, I think the reality is, we all know, certainly having spent a number of years at Treasury that Treasury does not use its enforcement authorities to go after individuals in the space. But I think we need guidance that says that that just makes that very clear. But much more importantly, the guidance needs to go to cryptocurrency businesses, to DeFi protocols to say, "Hey, these are the types of addresses you should and should not block," because I think what we're seeing here is, users who are being blocked for having some transaction history or transacting with Tornado Cash in a less than meaningful way. I think, on the one hand, it is very clear that if an address is on the sanctions list, if it is one of those 45 addresses that is listed by OFAC associated with Tornado Cash, that it should be blocked, because if you are a U.S. person or entity, you are prohibited from transacting with those addresses. The real gray area, the area that we need more granular understanding on, is that secondary exposure. Have you transacted as an address with one of those sanction entities and I think that's what we're looking to get guidance on, not just for the individuals affected but for the entities and how they should mitigate risk.
Delaney: That's it from the ISMG Security Report. I am Anna Delaney. Until next time!