支付勒索软件黑客的重重考验

黑客本月两次用勒索软件攻击德国企业集成和物联网平台软件公司。

10月5日，该公司的服务器和员工的笔记本电脑上下载了数据，其内部系统也遭到了破坏。据报道，黑客要求对超过2000万美元的数据进行加密。

据ZDNet称，当软件公司拒绝时，黑客将该公司员工护照、身份扫描、电子邮件和财务文件的截图从其内部网络发布到黑暗网络上。

软件公司的攻击是所谓的“双重勒索”，黑客先提取敏感的商业信息，然后再加密受害者的数据。据Check Point Research称，黑客随后威胁说，除非他们的赎金要求得到满足，否则他们将发布这一消息。Check Point Research向母公司Check Point软件的客户以及整个情报界提供网络威胁情报。

跨国专业服务网络毕马威（KPMG）报道称，双重勒索攻击是黑客获取赎金的“更有创意的方式”之一。

勒索团伙加速发展

全球网络安全公司Gurucul的首席执行官萨尔尤纳亚尔（Saryu Nayyar）说：“勒索团伙越来越大胆，越来越老练，他们通过犯罪攻击来追击更大、更有利可图的目标。”。对软件公司的攻击“是最大的勒索软件攻击之一，但肯定不会是最后一次。”

毫无疑问，黑客正变得越来越雄心勃勃——根据Bakerhosteller律师事务所的数字资产和数据管理实践小组（Digital Assets and Data Management Practice Group）的数据，平均赎金需求从2018年的约2.9万美元增加到2019年的30.2万美元以上。

去年要求的最大赎金为1880万美元，支付的最大赎金为560万美元。”“我们每天都会收到付款，”Bakerhosteller's Group说这就是这个问题的严重性。”

托管检测和响应公司eSentire的副总裁兼安全行业策略师MarkSangster告诉TechNewsWorld：“勒索软件已经从机会主义和交易不可知论的攻击变成了更有针对性和持续性的攻击，目的是要摧毁大游戏。”。

黑帮现在也更加活跃了——根据Check Point Research的数据，在过去的三个月里，美国勒索软件袭击的次数几乎是1月至6月的两倍。

Checkpoint说，这在一定程度上是由于大流行病迫使企业改变其业务结构，这往往会在其IT系统中留下缺口。”这些漏洞给了网络犯罪分子利用安全漏洞和渗透组织网络的机会。黑客将加密数十万个文件，使用户丧失能力，并经常劫持整个网络。”

毕马威表示，远程工作“大大增加了勒索软件攻击成功的风险”。这“是由于对家庭IT的控制较弱，用户点击COVID-19主题勒索软件诱饵电子邮件的可能性更高。鉴于人们的焦虑程度，犯罪团伙越来越多地转向以COVID-19为主题的网络钓鱼诱饵。”

付还是不付？

网络安全公司Sophos委托对5000名IT经理进行的全球调查发现，受害者的数据在将近75%的勒索软件攻击中都是加密的。

调查还显示，56%的受害者从备份中检索到他们的数据，只有26%的受害者通过支付赎金找回了数据。

然而，“在某些情况下，支付赎金可能不是唯一的选择，但出于各种原因，这可能是最快捷的选择，”管理检测和响应公司Pondurance的创始人兼首席客户官Ron Pelletier告诉TechNewsWorld。

以科罗拉多州拉斐特市为例，该市在7月份向黑客支付了4.5万美元的赎金，此前他们接管了该市的系统并阻止了对其数据的访问。

拉斐特在研究了其他解决方案后支付了费用，因为“在重建城市数据与支付赎金的成本效益方案中，勒索软件的选择远远超过了重建的努力，”拉斐特说长期服务中断给居民带来的不便也被考虑在内。”

彭杜兰斯曾与“几位新客户”合作，他们支付了赎金，并向其求助，佩尔蒂埃说。

联邦调查局建议受害者与其联系，而不是支付赎金，否则他们将被网络犯罪分子视为易受攻击的目标。

支付赎金也使得处理勒索软件攻击的成本更高。Sophos发现，对于不支付费用的组织来说，纠正这些影响的平均成本略高于73万美元，而那些支付了费用的组织则超过140万美元。

支付赎金的法律问题

U、 美国法律本身并没有禁止支付赎金，但当受害者向受到美国政府制裁的人或组织支付赎金时，他们会陷入更多麻烦。

美国财政部外国资产控制办公室（OFAC）在10月份发布了一份咨询意见，指出美国人“一般被禁止直接或间接地与其特别指定国民和被封锁人员名单（SDN名单）上的实体以及其他被封锁的人进行交易，以及受到全面国家或地区禁运的国家或地区。

根据1917年《国际紧急经济权力法》（IEEPA）或《与敌方贸易法》（TWEA），OFAC对“为这些活动提供实质性协助、赞助或提供资金、物质或技术支持的网络犯罪团伙”实施制裁。

IEEPA是一项美国联邦法律，授权总统在宣布国家紧急状态后，对部分或全部位于国外的国家所面临的任何不寻常和特别的威胁作出反应后，授权总统管理国际贸易。它被用于打击非国家个人和团体，如恐怖分子和网络犯罪分子。

TWEA是美国联邦法律，赋予总统在战时监督或限制国家与敌人之间任何和所有贸易的权力。

根据这些法律，任何导致违反IEEPA规定的交易，包括导致美国人违反IEEPA制裁的非美国人的交易，也被禁止。

OFAC可根据严格责任对违反制裁规定的行为进行民事处罚，这意味着受美国管辖的人员可能要承担民事责任，即使“其不知道或有理由知道其与OFAC法规和制裁法律禁止的人进行交易”。

Ballard Spahr律师事务所的Gregory Szewczyk和Philip Yannella写道，民事和刑事处罚“可能超过数百万美元”。

Szewczyk和Yannella警告说，这些支付还可能违反反洗钱法，并导致一家公司根据美国《银行保密法》和财政部的规定被归类为金融服务业务。

这将要求该公司在财政部注册，并使其“受一系列旨在打击洗钱的复杂法律法规的约束”。

尽职调查至关重要

Bakerhosteller数字资产和数据管理集团主席Ted Kobus告诉TechNewsWorld，也就是说，并不是所有的犯罪分子都与被制裁的实体有关联。”事实上，绝大多数人都没有。”

科布斯指出，OFAC的顾问明确表示，与FBI的合作至关重要，在执法方面，这种合作“将被视为一个重要的缓和因素”。

贝克霍斯特勒说，公司通常会聘请第三方进行尽职调查，以确保赎金不会支付给受制裁的实体，并确保洗钱法律不受违反。

科布斯说：“尽职调查过程并不昂贵，如果你让合适的专家参与进来，这一过程可能不需要花费巨大的费用和精力。”因此，所有规模的公司都应进行适当的尽职调查。”

原文题：The Trials and Tribulations of Paying Ransomware Hackers

原文：Hackers hit German enterprise integration and IoT platform Software AG with ransomware twice this month.

On Oct. 5 data was downloaded from the company's servers and employees' notebooks, and its internal systems were disrupted. The hackers reportedly demanded more than US$20 million to de-encrypt the data.

When Software AG refused, the hackers released screenshots of the company's employees' passports and ID scans, emails, and financial documents from its internal network on to the Dark Web, according to ZDNet.

The Software AG attack is so-called "double extortion," where hackers extract sensitive commercial information before encrypting victims' data. The hackers then threaten to publish it unless their ransom demands are met, according to Check Point Research, which provides cyber threat intelligence to customers of its parent company Check Point Software, as well as the intelligence community at large.

Double extortion attacks are one of the "more creative ways" of getting ransom money that hackers are moving toward, multinational professional services network KPMG reports.

Ransomware Gangs Rev Up

"Ransomware gangs are becoming bolder and more sophisticated, going after larger and more lucrative targets with their criminal attacks," said Saryu Nayyar, CEO of global cybersecurity company Gurucul. The attack on Software AG "is one of the largest ransomware attacks, but it will certainly not be the last."

There's no question that hackers are getting increasingly ambitious -- the average ransom demand increased from about $29,000 in 2018 to more than $302,000 in 2019, according to the Digital Assets and Data Management Practice Group of law firm BakerHostetler.

The largest ransom demanded last year was $18.8 million and the largest paid was $5.6 million. "We are seeing payments made on a daily basis," BakerHostetler's Group, stated. "That's how big this issue is."

"Ransomware has gone from opportunistic and transactional agnostic attacks to more targeted and persistent attacks looking to take down big game," Mark Sangster, Vice President and Security Industry Strategist at managed detection and response firm eSentire, told TechNewsWorld.

The gangs are also more active now -- there were almost twice as many ransomware attacks in the past three months in the U.S. as there were between January and June, according to Check Point Research.

That is partly due to the pandemic forcing organizations to change their business structures, which often leaves gaps in their IT systems, Checkpoint said. "These gaps have given cybercriminals the opportunity to exploit security flaws and infiltrate an organizations network. Hackers will encrypt hundreds of thousands of files, incapacitating users and often taking whole networks hostage."

Remote working "increases the risk of a successful ransomware attack significantly," KPMG stated. This "is due to a combination of weaker controls on home IT and a higher likelihood of users clicking on COVID-19 themed ransomware lure emails. Given levels of anxiety, criminal groups are increasingly switching to COVID-19 themed lures for phishing."

To Pay or Not to Pay?

The victim's data is encrypted in almost 75 percent of ransomware attacks, a global survey of 5,000 IT managers commissioned by cybersecurity firm Sophos found.

The survey also revealed that 56 percent of the victims retrieved their data from backups and only 26 percent got it back by paying the ransom.

However, "In certain situations, paying the ransom may not be the only option but it might be the best expeditious option for various reasons," Ron Pelletier, Founder and Chief Customer Officer at managed detection and response firm Pondurance, told TechNewsWorld.

Take the municipality of Lafayette, in Colorado, which paid hackers $45,000 ransom in July after they took over its system and blocked access to its data.

Lafayette paid up after looking at alternative solutions because "in a cost-benefit scenario of rebuilding the City's data versus paying the ransom, the ransomware option far outweighed attempting to rebuild," the City said. "The inconvenience of a lengthy service outage for residents was also taken into consideration."

Pondurance has worked with "several new clients" that had paid a ransom and turned to it for help, Pelletier remarked.

The FBI suggests victims contact it instead of paying a ransom as otherwise they will be considered easy marks by cybercriminals.

Paying ransom also makes it more expensive to deal with ransomware attacks. Sophos found that the average cost to rectify the impacts is just over $730,000 for organizations that do not pay up and more than $1.4 million for those that do.

Legal Issues of Paying Ransom

U.S. law doesn't prohibit paying ransom per se; but when victims pay monies to people or organizations who have been sanctioned by the U.S. government...they get into more trouble.

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an advisory in October, stating that Americans "are generally prohibited from engaging in transactions, directly or indirectly," with entities on its Specially Designated Nationals and Blocked Persons List (SDN List), as well as with other blocked persons, and those covered by comprehensive country or region embargoes.

OFAC imposes sanctions on cybercriminal gangs "others who materially assist, sponsor, or provide financial, material, or technological support for these activities" under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) of 1917.

The IEEPA is a U.S. federal law authorizing the President to regulate international commerce after declaring a national emergency in response to any unusual and extraordinary threat to the nation that is located partly or wholly abroad. It has been used to target non-state individuals and groups such as terrorists and cybercriminals.

The TWEA is a U.S. federal law that gives the President the power to oversee or restrict any and all trade between the nation and its enemies in times of war.

Any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited under the authority of these laws.

OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even "if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited" under OFAC regulations and sanctions laws.

Civil and criminal penalties "can exceed millions of dollars," Gregory Szewczyk and Philip Yannella of legal firm Ballard Spahr wrote.

The payments could also violate anti-money laundering laws and result in a company being categorized as a Money Services Business under the U.S. Bank Secrecy Act and Treasury Department regulations, Szewczyk and Yannella cautioned.

That would require the company to register with the Treasury Department and make it "subject to a complex array of laws and regulations" designed to combat money laundering.

Due Diligence Is Crucial

That said, not all criminals are connected to a sanctioned entity, Ted Kobus, Chair of BakerHostetler's Digital Assets and Data Management Group, told TechNewsWorld. "In fact, the overwhelming majority are not."

The OFAC advisory makes it clear that cooperation with the FBI is critical and that this cooperation "will be viewed as a significant mitigating factor" when it comes to enforcement, Kobus noted.

BakerHostetler says companies generally retain a third party to conduct due diligence to ensure that the ransom is not being paid to a sanctioned entity and ensure money laundering laws are not being violated.

"The due diligence process is not costly, and if you involve the right experts, it can happen without tremendous expense and effort," Kobus remarked. "As such, companies of all sizes will be expected to undertake an appropriate due diligence process."

作者：Richard Adhikari

原文网站：https://www.technewsworld.com/story/86894.html