Don’t Blame the Victim, Blame the Game: The OFAC’s Misstep in Fining Ransomware Payers

Young male frustrated by ransomware attack on desktop screen.

Ransomware attacks have always been a large issue in the cybersecurity world. The victims of ransomware attacks may also be blamed along with hackers.

The Treasury Department’s Office of Foreign Assets Control (OFAC) recently came out with an advisory stating that those who pay the ransom of a ransomware attack may themselves be subject to fines. While this may sound good on paper, in practice this black-and-white approach to a growing cybersecurity problem can be detrimental to all involved.

Popular in many an action movie, the “we don’t negotiate with terrorists” mantra may be thought of as appropriate dogma to cyberattacks. If one pays a bad actor the demanded ransom, then it incentivizes future attacks on others. If everyone refused to pay these ransoms, the method of attack would no longer be a profitable one, and they would move on to another cybercrime. Of course, in the movies, Harrison Ford always gets his plane back and the girl; companies who are unprepared victims of ransomware are seldom that lucky.

What makes ransomware such an effective method of attack is precisely why paying that ransom is not always a bad idea. For most attacks, the ransom is pennies on the dollar compared to what the cost of a recovery would be. For all the ethical debate about rewarding someone for their crime, the reality is that not doing so may cause the most possible damage to the company or individual attacked. The city of Atlanta is an excellent example.

Atlanta was the victim of the SamSam Ransomware in January of 2018. The requested ransom for this attack was $6,800 to unlock a single computer or $51,000 for all the decrypt keys needed to restore the city’s entire system. This attack was the largest successful cyber attack on a U.S. city in history. The attack affected around six million people, interrupting activities such as paying bills and fines, some court-related processing, as well as several internal systems for the city itself. Atlanta decided not to pay the $6,800 or the $51,000 ransom. They did not reward the bad actors for their bad actions and decided to take on the recovery themselves. To do this, Atlanta initially put in $2.7 million to recover everything, but once their systems were finally set back into place, the actual costs to the city were nearly $10 million. Atlanta didn’t let the bad guys win, but at what cost?

$10 million suddenly stripped from a city’s budget does not just mean the problem was fixed, it meant that they were now short of $10 million originally set for other things like salaries, school budgets, road repairs, etc. What could have been a negligible expense ended up costing millions and impacting the city for years to come. The question is what impact does the OFAC advisory really have on protecting U.S. cities and companies from these types of ransom attacks?

The answer unfortunately is, not much. For one thing, this advisory punishes the victim of the attacks. Instead of having to consider the cost of paying the ransom versus the cost of not, they now have to factor in the ransom plus the fine. This makes for some very fuzzy math. Either the fine is so high that it costs a company more to go through a very expensive recovery phase or the fine plus ransom is still less than the cost of recovery.

If the cost of the fine plus ransom is greater than the cost of recovery, under the government’s guidance all ransomware attacks would be exponentially more expensive for the victims. In many cases, it may actually shut down a company that is unable to pay thousands or millions of dollars to recover.

If the cost of the fine and ransom ends up being less than the cost of recovery, then the government is essentially profiting from ransomware attacks. The fiscally responsible move will still be to pay the ransom, but now the government will get a little cut of every attack. Under this model what is the government’s motive to end such attacks?

In both scenarios, the only party to actually suffer is the victim. The government either profits or keeps the status quo, the hacker either gets paid or doesn’t, same as today. The victim is either forced out of business or put in a financially vulnerable spot by the government or simply must pay a “victim’s tax” for being targeted. This would make for a terrible action movie.

If the OFAC advisory isn’t really an effective way of protecting U.S. businesses and cities from ransomware attacks, then what should the government be doing? The answer is in education.

Being a victim of a ransomware attack isn’t an inevitability. Being put into a situation of having to decide whether to pay is not absolute. With the right internal policies, procedures, and technology in place, being the victim of a ransomware attack is entirely avoidable. But you need to know what policies and procedures to have in place. You need to know what tech is available to protect you. The government should expand itself as a resource to help businesses and cities become aware.

Three ways the government can help with ransomware education are:

  • PSA videos – Create short and informative videos that can be incorporated into any HR department’s cybersecurity employee training program. Videos like these can highlight what to look for to identify a phishing scam, how to keep your personal information safe from being a phishing target, and steps to take the moment an attack is apparent.
  • Cyber training classes – The best way to prevent a ransomware attack is to ensure everyone within a network, be it a municipality or a corporation, is aware of all the suggested cybersecurity policies and best practices, as well as how to identify any potential point of attack. Building off the basic information that can be shared through a PSA, these classes presented by the government could go into much greater detail and provide employees with everything they need.
  • Cybersecurity education in schools – Ransomware and other such malicious cyber attacks will always be a threat. It is the nature of a constantly changing digital world. While keeping employees up to date on the latest threats with PSA Videos and Cyber Training classes is vitality important, we need to address these threats at the root. The best way to achieve this is to instill from a young age the threats and dangers of cyberattacks. Teach students how to look at phishing scams or behavioral vulnerabilities with a focused mind, so that as the next generation of workers enters their various fields, they are less likely to fall prey.

The government’s role is to protect its citizens and companies. Punishing the victim should not be one of its tactics to do so. Though it may be counter-intuitive, sometimes paying off a ransom is the best move to make. The best way to prevent these types of attacks is proper education and actions before they occur. With the government’s support of a comprehensive cybersecurity education program that works with today’s generation of workers as well as the next, it will have much greater success in decreasing successful ransomware attacks in the short and long term.

How to Protect Your Supply Chain from Cyberattacks

Chains made of zeros and ones intersect.

Cyberattacks can happen anywhere at any time. Due to the pandemic, the number of cyberattacks companies have been faced with has soared. Hackers are attacking large e-commerce companies since they have been in high demand due to the COVID-19 lockdown.

Supply chains have been stretched to their limits by COVID-19 lockdowns, border closures, and sudden shifts in consumer demands. Now, they’re facing a growing threat from hackers. According to the FBI, cyberattacks have surged by 400% during the pandemic. One of the top targets: supply chains. In 2019, there were around 300 major hacks on supply chains and 2020 is almost certain to exceed that. In a single week this fall, cybercriminals took out shipping giant CMA CGM’s e-commerce systems and hit the International Maritime Organisation with an attack that affected crucial databases.

The fastest-growing threat is ransomware, which encrypts a company’s data until a ransom is paid to the hackers to decode it. In the third quarter of 2020, companies paid an average of $233,817 in ransoms, a 31% increase from the previous quarter, according to security firm Coveware. Supply chains are uniquely vulnerable to cyberattacks because each link in the chain is a potential entry point for hackers. Corporations like Walmart can have 100,000 suppliers, and interact with each to manage orders, delivery schedules, invoices and payments. When a single click on a malicious email link can open the door to a cyberattack, policing such a complex system is an enormous challenge. So, what can be done? Here’s how to keep your supply chain safe and secure.


Your organization or suppliers will inevitably be the target of a cyberattack, so plan accordingly. If your company doesn’t have a comprehensive strategy for mitigating threats and dealing with any breaches, creating one must be a priority. The threat from hackers is ubiquitous so your strategy must encompass not only your organization but the suppliers and vendors you deal with. It should run the gamut from the technologies used for endpoint protection, to standards for accessing and handling data, and plans for recovering in the event of a successful attack. The National Institute of Standards and Technology has created standards for supply chain cybersecurity that are an excellent starting point.


You can’t defend against risks you don’t know about. Conduct a comprehensive audit of each third-party vendor in your supply chain. It’s not enough to look into their software and hardware, you need to know about their information security protocols, processes for patching and updating their systems, how they control physical access to their facilities and digital access to their systems, and what background checks they perform on their employees. Group vendors by their risk level, and prioritize working with the riskiest to secure systems and train staff. Particularly vulnerable equipment may have to be air-gapped from other systems. This is frequently the case for manufacturers that have expensive or difficult-to-replace machinery still operating on outdated systems such as Windows XP.


The complexity of supply chains creates an enormous attack surface for hackers. The risks are increasing with greater use of IoT technologies throughout the system. Even WiFi routers, connected thermostats or smart lighting systems in warehouses could present a risk. IT departments lead the charge on ensuring networks are up-to-date with antivirus and malware detection software, and staying current with system patches. But that work can be undone by a careless worker who invites hackers in by falling for a phishing attack. Supply chains are prime targets for phishing scams, which often involve phony invoices that contain viruses or fake wire transfer requests that appear to come from a trusted source. Embedding a culture of cybersecurity awareness throughout your supply chain and regularly training all staff to be vigilant to the threat is essential to keeping systems secure.

Ransomware and other cyberattacks represent real and growing threats to companies throughout the supply chain. Attacks are inevitable, but by putting the correct technologies and procedures in place, companies can mitigate their risks and reduce their chances of costly downtime from a successful hack.


Tim Cook to unveil iPhone 5 on October 4th, 2011

Reports say that Apple will unveil its much-anticipated iPhone 5 handset, Marking a significant event in Apples recent history, because it will be the first time new CEO Tim Cook will do a big product introduction, after Steve Job’s resignation as the CEO of Apple.

Sources say that the plan is now to make the new device available for purchase within a few weeks after the announcement.


Where is the Battery?

Could invisible electronics be in the near future?
Researchers at Stanford University have designed a thin, flexible and transparent battery that bring the idea a step closer to feasibility. These batteries are about the size of a small post-it note and resemble saran wrap. How it's possible-the batteries' electrodes are arranged in a micro mesh-like frame work, resulting in lines so thin they are invisible to the naked eye. Currently these lithium-ion batteries provide up to enough energy to operate a digital camera, but with more development, researchers hope to incorporate them into cell phones, laptops, and other larger electronics. While finding ways to make other electronic components transparent is a challenge yet to be solved, these new batteries provide a nifty solution to help to slim all battery powered devices.


My run in with Google’s street view car.

Google Street View Car

For the past few weeks I have been seeing the Google street view car driving around the neighborhood. Today as I pulled into the local Starbucks it was parked right out front and I thought what a great opportunity to take a few photos and give everyone a chance to learn about the technology behind it. I am sure by now most, if not all of you have used Google Maps’ Street View feature. Some may think this is satellite imagery but the technology behind it is simple at the surface.

The current Google Street View car has 15 lenses taking 360 degrees of photos. It uses motion sensors to track its position via GPS and a hard drive to store the data. There is a small computer running the entire system, and lasers are used to capture 3D data to determine distances and depth of field within the Street View. In addition to the car, Google also has a trike, snowmobile and a trolley to capture images in places cars can’t access.

Google uses the car to access public roads and also uses face and license plate blurring technology for privacy. Once the images are captured, it takes Google a few months to process the images at their lab and make the
images available online for your viewing pleasure. It’s a very useful tool, especially when going to a meeting or a place you have not visited before; you can easily identify landmarks near your destination.

15 Cameras take 360 degree view photos

To learn more about the Google car: