An item in Wired recently
pointed out that anybody who facilitates ransomware payments to certain U. S.
Treasury-sanctioned actors may also be liable to prosecution because they have
violated Office of Foreign Asset Control
(OFAC) regulations, which prohibit such dealings. This puts ransomware victims in a worse bind
than ever: pay up to free your kidnapped
data and get fined by the Treasury, or refuse and do without your data.
Perhaps this is just a
backwards way for the Treasury Department to encourage organizations that rely
on IT facilities—which is nearly everybody nowadays—to be more vigilant in preventing
cyberattacks. And that’s not a bad
thing. But if I worked for the IT
services division of a large firm or government agency, I would feel somewhat
put upon by the notion that rather than helping me avoid ransomware attackers,
the Treasury Department was letting me know that if I get attacked, they’ll be
standing by to make sure any ransom I pay doesn’t go to sanctioned
The utter permeability of
national boundaries to the Internet-mediated WorldWideWeb has led us to ignore
some long-standing expectations and categories of thought, and I think we
ignore them at our peril. To see what I
mean, let me take you back for a moment to Canterbury, England in the fall of 1011
A. D. A couple of years earlier, an army
of Danish Vikings led by Thorkell the Tall had threatened the city, but the populace
raised and paid a 3,000-pound silver ransom, and Thorkell turned instead to
points south, leaving Canterbury alone for the time being.
But in 1011, Thorkell
attacked Canterbury again, and the Anglo-Saxons decided to fight this
time. After a three-week battle, the
Vikings broke through the city’s defenses and captured the Archbishop
of Canterbury, who was named Aelfheah, and a number of other high officials. After burning down Canterbury Cathedral, Thorkell
ran off with the Archbishop and demanded another 3,000-pound ransom.
But the Archbishop himself
let it be known that he didn’t want to be ransomed, and didn’t want his people
to pay up. After seven months of holding
on to Aelfheah hoping for a ransom, some of the Vikings under Thorkell lost
patience (the Vikings were not known for that virtue), and began to throw
cowbones at Aelfheah, finishing him off with a blow from the blunt end of an axe. Thorkell, who had tried to stop his men from
killing Aelfheah, felt so bad about it that he eventually joined forces with
the English king, Aethelred the Unready, and fought bravely in his behalf.
What has that got to do with
ransomware? More than you might
For one thing, our little
history lesson shows that placating kidnappers and other demanders of ransom
tends to lead, not to the end of ransom demands, but to their
encouragement. Thorkell may have figured,
“Hey, we got 3,000 pounds of silver from Canterbury a couple of years ago,
let’s go try it again.” So like
blackmail payments and similar shady dealings, the payment of ransom for either
people or data just encourages the bad actors to keep doing what they’re doing,
in the long run.
Secondly, the people of
Canterbury didn’t expect Aelfheah to fight off the Vikings all by himself. They mounted a united defense, and though they
failed to stop Thorkell the second time, things could have turned out
differently if the balance of power had been more in favor of the Anglo-Saxons. But they would have had to plan for such an
attack and devote resources to preparing their armed forces.
Because ransomware attackers
don’t show up on the streets of U. S. cities armed with tanks and
flamethrowers, they escape being placed in the same category as we would place
the Vikings in 1011 A. D.: as invaders
bent on pillage and destruction. But
that’s what they are.
It’s true that few if any
people have died as a direct result of a ransomware attack. But the net effect is the same: an invasion of a sovereign territory by
(typically) foreign actors leads to money going into the pockets of the
In its limited bureaucratic
way, the U. S. Treasury is alerting potential victims of ransomware attacks
that paying ransom to certain sanctioned organizations can get you in trouble
with the government, on top of whatever expenses and problems the attack itself
causes. But it’s apparently not the
Treasury’s job to help you defend yourself against such attacks.
At a recent social
gathering, I met a youngish man who turns out to be a freelance IT security
specialist who goes around trying to attack systems to discover their
vulnerabilities, and then informs the client about the weak spots he’s
found. I didn’t spend enough time
talking with him to discover if one of his tricks involves threatening ransomware
attacks—it would be hard to try that without actually fouling up a client’s
systems, which is going a little beyond the remit of a consultant. But such people are an important part of an
overall cybersecurity policy that every organization of any size needs to have.
I wish there was some way
the U. S. military could guard our Internet borders the way they guard our
physical borders. But the way the Internet
has grown makes that nearly impossible, and probably inadvisable as well. For whatever reason, IT-intensive
organizations have to do the equivalent of paying for their own guards and
military defenses against the attacks of cyber-Vikings, rather than relying on
the government for security as we do for our physical borders.
But minds and organizations
change slowly, which is why there are so many outdated operating systems out
there, just begging to be hacked or attacked by ransomware. Maybe some kind of tax credit for IT security
expenditures would make a difference in encouraging organizations (at least
private ones) to do a better job of safeguarding their systems so well that most
ransomware attacks would fail. Like
anybody else, the attackers go around looking for low-hanging fruit, and I
suspect that many ransomware attacks would have been foiled by more vigilant IT
security on the part of the victims.
The long-term solution, if
there is one, is increased vigilance and more resources devoted to IT security,
plus a disinclination to pay ransomware attackers. But as long as there are people out there who
would rather raid and invade for pay rather than earn a living in a more
peaceful way, we will probably have to deal with ransomware attacks.
website carried an item about the U. S. Treasury’s warning concerning payments
to certain ransomware attackers at https://www.wired.com/story/ransomware-fine-grindr-bug-joker-malware-security-news/. The Treasury’s announcement itself can be
viewed at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf. And I got the story about Thorkell the Tall
and Aelfheah from the Wikipedia article “Siege of Canterbury.”