"What I would like to see is I'd like to see the top 10, top 20 ransomware teams all designated as OFAC actors," he said. Treasury Department, which enforces trade sanctions to support U.S. That's where the Office of Foreign Assets Control should come in, said Stamos, referring to the financial intelligence and enforcement arm of the U.S. But they have no way to really enforce that.' And in the moment you're not going to take that advice." You have the FBI saying please don't pay. "Generally today, companies do not face legal sanction for this. That's why "we need to outlaw ransom payments," he said. Because the moment you call a DFIR company and outside counsel, you're at seven figures in billing already. "And that's the genius of it: All of the incentives are lined up that it's probably cheaper to pay a couple million dollars. "For all your stakeholders, your employees, your shareholders – in this case your patients – it probably makes sense to pay," he said. "The great evil genius of ransomware is that, in the micro picture, if you are a victim, and you've come in on Monday morning, and your exchange servers are locked up, and none of your systems are working, and people have no idea what the hell they're doing that day, and you've got a ransom alert saying, 'We've got all your data,' It almost always makes logical sense to pay," he explained. ![]() Stamos took a different view, arguing that ransomware payments should be made illegal in most cases. ![]() His advice? "Rather than having a concrete 'always' or 'never,' think about the criteria you will use to make that decision, should you find yourself in a ransomware crisis." I think it's appropriate when we're talking about life or death, and that's certainly a challenge within the healthcare arena." While the former Cyber Command chief noted that his "personal and professional preference has always been not to pay," he did acknowledge that there are "some circumstances where some organizations think it's the appropriate thing to do. "I always say you should be speaking to the criminals, for two reasons: one, it can give you time – time to help your defenses and help your organization respond – and two, it can sometimes be a source of insight into what this actor has done." "It is illegal to pay ransom to a group, individual, nation state or entity that's been sanctioned, either by the U.S., the United Nations or any other international body."īut whether you pay "should be a different conversation than should you be talking to these individuals," Rogers added. against a company paying ransom, with one notable exception," Adm. "There's no broad legal prohibition in the U.S. Cyber Command Alex Stamos, founding partner at Krebs Stamos Group and former security chief for Facebook and Yahoo Michael Coates, cofounder and CEO of Altitude Networks and former CISO at Twitter Israeli cybersecurity analyst, author and researcher Keren Elazari and Jigar Kadakia, chief information security and privacy officer at Mass General Brigham – all had different opinions on the topic. Rogers, former director of the National Security Agency and former Commander of the U.S. LAS VEGAS – The FBI and Department of Homeland Security have always recommended against paying up when cybercriminals demand exorbitant bitcoin deposits to decrypt files seized by ransomware.īut in a healthcare setting, where continuity is critical and often a matter of life and death, that advice is not so cut-and-dried.ĭuring a HIMSS21 keynote on Tuesday morning, a group of security experts debated a crucial question that more and more healthcare organizations have been asking themselves recently: to pay, or not to pay?
0 Comments
Leave a Reply. |