Guest Post

Beware paying ransomware: How MSPs should protect companies

Dave Sobel and Joseph Brunsman discuss how paying ransomware attackers could have businesses run afoul of OFAC and what MSPs and solutions providers can do to help.

Dave Sobel is the host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

This week, Sobel spoke with Joseph Brunsman, an insurance broker who handles cyber insurance, about the recent announcement from the Office of Foreign Assets Control (OFAC) out of the Department of Treasury telling organizations to not pay ransomware payments to anyone essentially subject to U.S. Treasury sanctions or they could face penalties.

Transcript follows below.

Dave Sobel: Hey, everybody. Dave Sobel here again from the Business of Tech podcast. So, back with Joseph Brunsman. Welcome back to the show.

Joseph Brunsman: Hey. Thanks, Dave. Good to see you again.

Sobel: So, this is funny. This is a Reddit-demanded podcast because there's a conversation going on in regards to the announcements, which would now, when we're recording this, is last week out of the U.S. Treasury and we both covered, you covered it, I covered it, and then there was a lively discussion going on with some questions, which was an obvious opportunity for the two of us to put our heads together and walk through that. Do you want to catch everybody up who may not be up on what the announcement was?

Brunsman: Certainly. So this is coming from, as you said, Department of Treasury, specifically OFAC, so that's the Office of Foreign Assets Control. Essentially, it's really just like a reiteration. So it's a warning of something that has already been in place that's essentially saying, 'Hey, if you are paying a ransom after a ransomware event, just so you know, that if you end up paying a ransom to someone who is on our sanctioned list or blocked persons list,' the technical term for it, I'd have to look it up again. But what it's saying is, 'You could be held civilly liable for doing that.'

Sobel: That was a big deal, right?

Brunsman: Yeah, not fun. From my research, I think the civil penalty, so it's not a criminal penalty, you're probably not going to end up in prison, but what's interesting here is that you are held to a legal standard called 'strict liability.' So what that means is even if you didn't know, or you didn't have a reason to know that you were paying someone who's on the sanction list, you could still be held liable. I think what's pretty fascinating here is it's not even necessarily the money that would get you. So 55 grand for most businesses is, OK, doable, unless you're a really small business. But now your name's going to be on that list and you're going to be in the news and they will make an example out of you.

Sobel: Right. I mean, it's painful. I don't think any business owner is going to want to write a check for 55 grand, but at the same time, it's not devastating. They're not trying to shut you down. They're just making this painful. I think you've hit on the major piece. So let's ask the obvious question. I think we'll each weigh in with, so why do we think they made this move?

Brunsman: So, I think it's, having a background in administrative law and being part of the government before, these bureaucratic organizations, they never do anything by mistake. So where I'm coming at it from is I think they're now really going to start enforcing this. So I think this is the warning shot to everybody involved that you can't just play the card of, 'I didn't know,' because now it is big news. Everybody should hopefully be aware of this. So I think this is the shot across the bow to say, 'Hey, this has been in place in the past, but now you have been warned. So get ready because we will come after you.'

Sobel: Yeah, and that was my take too. I looked at this and said, 'We know that security experts have been advising not paying these ransoms because it is a vicious cycle. The more they get paid, the more encouragement that the criminals have to continue to do it, that the less they keep coming back.' That you have to start disincentivizing the payouts of this in order to slow the process. I think this is the government coming in and saying, 'Hey, here's your warning. We're about to get serious with this.' I found it interesting, the timing of this. There was a bill introduced, a bipartisan bill for the House and Senate, introduced last week that's starting to up cybersecurity training. The idea is to invest in cybersecurity training as well as have the SBA report on progress every two years back to Congress on how they're doing.

I found it interesting timing that the two are coming out at the same time. So this feels like an amping up of that effort to make sure that, 'Hey, we're warning everybody we're getting serious. We're starting to collect data on it. We're going to invest in training. We're going to help businesses get there.' So for me, the open question that you'd be a good person to ask for is, is, so how much of this do you think is insurance companies putting pressure on this?

Brunsman: It's interesting. I mean, I know that obviously insurance companies don't like paying out a cent more than they have to, and so definitely this could be used by insurance companies to truly try and stay away from paying that ransom. I know right now insurance companies are just getting decimated by these ransomware events, as are small businesses around the country. So I could see where insurance companies are going to take this actually favorably, as a matter of fact, and try and use this as but another tool to really try and encourage those business owners to not necessarily think of cyber insurance as a security control, because it's not. That they need to have that defense and depth in place to really make sure that ideally they never actually fall victim to ransomware to begin with.

Sobel: Sure. And then the obvious next question, I think we both have an opinion on this one is, what are the implications to the business owners? I think we could talk about this both from a solution provider perspective, as well as our end customers. What's your take there?

Brunsman: So, I think the take is it's somewhat paradoxical, but it's yet another reason why small to medium-sized businesses absolutely need to buy cyber insurance, and yet another reason why they should not just solely rely on cyber insurance. So at the insurance company level with their particular vendors and subcontractors, if it's a reputable cyber insurance company that's versed in this stuff, they should already know who is on the sanction list, what type of strain of particular malware infected that system, how to play by the rules, how to coordinate with OFAC and all the various other government agencies that are out there as well as law enforcement agencies. But I think it's another reason why business owners really need to take cybersecurity seriously. Because yes, there is an appeals process through OFAC, but to quote it, it says, 'They're going to deal with it on a case-by-case basis with a presumption of denial.'

So, what I think that means is -- call me cynical here -- but I think it means that if you're a multinational multibillion-dollar corporation and your whole system gets shut down, maybe you could get an appeal. If you're an average business out there, you just have to start from the assumption that the ransomware payment is not going to work, right? Let's start from worst-case scenario and work backwards. Figure out, OK, how do I avoid that situation to begin with so that I don't have to play the game of, 'I hope to God that it wasn't the wrong person that hit me with that ransomware'?

Sobel: Yeah. I always put the solution provider hat on. For me, I thought a lot about the fact that this is the warning for any MSP, technology services company, break/fix, whatever you call yourself. If you're delivering IT services around this, you need to be incredibly disciplined about the way that you're now engaging with these incidents. Not to say that you weren't before, but I want to make sure that everyone truly understands the message from the government on this is, 'this is a crime and you need to treat it like a crime.'

I want you to think about it like a hostage situation or a murder, in that if you start damaging evidence during that process and are not involving the authorities at the proper place, it's not just, I think, in my mind, about paying the ransom, although that's the end point. It's about the discipline through the process. You're going to be held accountable for those actions. I would really encourage anybody delivering IT services to make sure that they have policies and procedures in place to think about this, to notify the authorities, to get the right third parties involved. If you don't have the experience for this, do not be doing forensics on the fly. This is just a horrible area to be in right now. It is really amping up the risk in my mind to what's going on here.

Brunsman: Interestingly, one thing that I probably should have mentioned before is that a lot of the way that these government agencies work, we always complain about like, 'Why aren't we catching these people? Why aren't we getting these hackers that are in these other countries?' Well, okay, in some respects we can't. There's no extradition treaty. But I think part of the problem is if you dig into those FBI statistics, maybe we know where they are. Maybe we could figure it out. They just don't have the funding to actually do it. They don't have the manpower yet. I think probably the silver bullet that's going to pop out of this is that once organizations really start taking this seriously, they start notifying FBI, they see that caseload increase, that's a perfect reason to increase funding for those law enforcement agencies so that now they can bring in more people to try and solve the problems. So there could be a silver lining, silver bullet to this whole thing.

Sobel: Well, I mean, I am looking at this actually as a good thing. This is the kind of investment that we need. I'll observe that the laws [being put] in place that I mentioned from last week about starting to track this, that was bipartisan. We're not going to ... this isn't a political podcast, but I want everyone to think about how easy this set of votes is for every politician. We're going to vote to increase funding for law enforcement activities dealing with cybersecurity. I don't care which side of the aisle you are on. This is an easy 'yes' vote.

So, we always talk about ... there's this idea that politics is difficult, that everything is going to be contentious. This one isn't. This one feels like it will sail through. Everyone will fund it. There will be lots of interest in spending money on helping small businesses, helping businesses do this. This is not going to be one of those contentious ones.

Brunsman: Yeah. Honestly, I would say that those brilliant cybersecurity minds that we have out there that we need on our side to try and stem the flow of this, we're going to have to pay them really good money to start working for the government. That is not an easy ask. So the more that we can make this situation aware to all the various law enforcement agencies out there where they can get that funding necessary to really hire those good smart people, I think it's just going to be a win-win for everybody in the long run. So yeah, it's a pain on the short end. It's but another thing you have to deal with, which is never fun. It's one more box in the checklist that you got to go through, but I'm with you on this. I think it's actually a good thing at the end of the day.

Sobel: Yeah. I would be warning of anybody who's dismissive of this, thinking that this is nothing. I would warn you that they are, again, that all the alignments of the powers that are interested in this are all really interested in it, and there's not a lot of downside for any of them.

Brunsman: Yeah. I would just say, I did have a lot of comments come my way where people were like, 'Oh, well, so then just don't tell the government and you'll be fine.' It's like, 'No, not really.' So I actually downloaded the entire sanction list, which was 1,442 pages long and growing every day.

Sobel: Good night reading.

Brunsman: Yeah. That was a dense one. But they even have Bitcoin addresses on there, and then obviously now cryptocurrency transactions and holdings are reportable to the IRS. So, they're going to get you one way or another. If you try and hide it, we can look at the allegations and indictments currently befalling the former CSO of Uber when he allegedly tried to hide a breach at his company and where that's going. So, I think it's just some of those things where you're going to have to comply, maybe it's painful, but at the end of the day, it really is a good thing.

Sobel: Well, look, and I think even if you say, maybe it's painful, it's not like the situation isn't already painful. If something happens, you're already dealing with a huge monstrous pile of mess. Just know that it is that serious and it needs to be handled that way, and don't be dismissive of it. By the way, I would, again, would be remiss if I didn't put my solution provider hat on, expertise in this is what you're able to charge good rates for. You're able to have the discipline, have the policies and procedures. By investing in this, this is what you can take back to your customers and charge a premium for. I do not expect this to be delivered for free or for discount. This is hard stuff. If they want to take the risk themselves, they're welcome to do that. This remains a risk mitigation business, delivering IT services.

Brunsman: Absolutely. I think that, from the MSP owner side, like you were saying, this is just yet another reason where you can talk to your customers about increasing those cybersecurity controls. Yes, even though I'm the cyber insurance guy, not wholly relying on cyber insurance to make you whole, because in this case, hey, you may be up a creek without a paddle. So if you decided not to invest in backups, not do MFA, on and on, and now you're hit and your whole system is gone and it's either, 'Hey, pay the ransom, violate OFAC and get put on a list and have your name dragged through the news,' you probably don't want to be in that position. So, I would just imagine any business that does eventually end up in that position, they're going to think, 'Wow, that MFA was way cheaper. I should have gone that route.'

Sobel: It was way cheaper. So, Joseph, people have been asking you questions. What are the best ways to get in touch with you if they want to ask specific questions or walk through scenarios or understand what to do next?

Brunsman: So, easiest way to get ahold of me, you can always email me at [email protected]. You can find me on YouTube if you just search for Joseph Brunsman. I do a ton of videos on there. You can download my books for free on my website, CPLbrokers.com. That's probably the easiest way.

About the author

Dave Sobel is the host of the podcast "The Business of Tech," co-host of the podcast "Killing IT" and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing, and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Next Steps

Kaseya ransomware attack underlines vendor accountability

Local government ransomware attacks and how MSPs can help

Dig Deeper on MSP business strategy