Law enforcement agencies and security firms around the world are constantly advising victims of ransomware not to make payment. Many of our blog posts have advised against making payments for various reasons, the most obvious reason being that you have no guarantee you will get your data back after a payment is made. Despite this well-meaning advice, payments are still made to hackers. It is estimated that the authors of the SamSam ransomware netted nearly 6 million USD.
There is another reason you may want to think against making the ransom payment. Those who pay the ransom could be funding terrorist activities in foreign countries, which could get you in far more trouble than the original ransomware. In an 2016 article in Apex, Rich Tehrani writes about ISIS using a type of ransomware, Cryptolocker, to fund its activities. Tehrani states: “the penalties for funding terrorism can be prison terms of up to twenty years.” According to Bleeping Computer, the Department of Justice recently unsealed a grand jury indictment against two Iranian hackers allegedly responsible for the SamSam Ransomware. “As part of this indictment, for the first time the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments to fiat currency.” Ali Khorashadizadeh and Mohammad Ghorbaniyan are accused of facilitating the exchange of ransomware payments into Iranian Rial. Moreover, the OFAC has also added Khorashadizadeh and Ghorbaniyan “to the Specially Designated Nationals and Blocked Persons List (SDN), which means that U.S. individuals and companies are blocked from doing business or conducting any transactions with these individuals. These sanctions could also affect non-U.S. businesses and individuals who conduct transactions with them due to secondary sanctions.” What this means is, if your systems become infected with SamSam ransomware and you decide to pay the ransom, whether via bitcoin or cash, you could face massive fines or other legal penalties.
With the rise in ransomware, has also come a rise in data recovery companies who claim to be able to recover data for those businesses suffering from ransomware. “It has long been suspected that these companies are not actually using any home-grown techniques to recover victim's files but are negotiating with the ransomware developers and simply paying the ransom on your behalf while tacking on a fee for their work.” These companies are going to face further scrutiny going forward if they do not check the OFAC sanctions lists before sending payment.
As it’s been said before, don’t pay the ransom. The best way to avoid having your business crippled by ransomware is to ensure you have proper back-ups of your data. If the threat of legal sanctions, fines and jail time are not enough to convince your organization to beef-up it’s security, nothing will.