Paying ransomware demands could land you in hot water with the feds

[Karlston]

Paying ransomware demands could land you in hot water with the feds

Advisory applies not just to victims, but also to security and finance firms they hire.

Aurich Lawson

5 with 5 posters participating

Businesses, governments, and organizations that are hit by crippling ransomware attacks now have a new worry to contend with—big fines from the US Department of Treasury in the event that they pay to recover their data.

 

Treasury Department officials made that guidance official in an advisory published on Thursday. It warns that payments made to specific entities or to any entity in certain countries—specifically, those with a designated “sanctions nexus”—could subject the payer to financial penalties levied by the Office of Foreign Assets Control, or OFAC.

 

The prohibition applies not only to the group that is infected but also to any companies or contractors the hacked group’s security or insurance engages with, including those who provide insurance, digital forensics, and incident response, as well as all financial services that help facilitate or process ransom payments.

Enabling criminals

“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” the advisory stated. “For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

 

Under law, US persons are generally prohibited from engaging directly or indirectly in transactions with people or organizations on the OFAC’s Designated Nationals and Blocked Persons List, other prohibited lists, or in Cuba, Iran, North Korea, and other countries or regions. In recent years, the Treasury Department has added several known cyber-threat groups to its designation list. They include:

• Evgeniy Mikhailovich Bogachev, the developer of Cryptolocker, an early ransomware variant that the OFAC says infected more than 234,000 computers, half of them in the United States.
• Two Iranian nationals behind SamSam, the ransomware that crippled the city of Atlanta in 2018.
• Individuals and groups connected to Lazarus Group, a hacker group sponsored by North Korea that US intelligence groups say was behind the WannaCry attacks that shut down computers worldwide.
• “Evil Corp.,” a Russia-based criminal organization whose leader was indicted last year for allegedly using the notorious Dridex malware to drain more than $70 million from bank accounts in the US, UK, and elsewhere.

To pay or not to pay?

 

Law enforcement officials and security consultants have generally advised against paying ransomware demands because the payments only fund and encourage new attacks. Unfortunately, paying the ransom is often the fastest and least-expensive way to recover. The City of Baltimore incurred more than $18 million after it was locked out of its IT systems. Attackers behind the ransomware had demanded $70,000. In response, some companies claiming to offer incident-response services for ransomware attacks simply pay the attackers.

 

Thursday’s advisory warned that there are other reasons not to pay. It further explained that the prohibitions against ransom payments are broader than many people may assume. Fines may be levied against any US person who, regardless of location, engages in a transaction that causes a non-US person to perform a prohibited action. The OFAC may also impose civil penalties based on “strict liability,” a legal principle that holds the person or group liable even if they didn’t know or have reason to know they were engaging with someone who’s prohibited under the sanctions laws.

 

“As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” the advisory stated. “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services.”

 

 

Paying ransomware demands could land you in hot water with the feds

 

[Karlston]

Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today.

 

Image: Shutterstock

In its advisory (PDF), the Treasury’s Office of Foreign Assets Control (OFAC) said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

 

As financial losses from cybercrime activity and ransomware attacks in particular have skyrocketed in recent years, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

 

A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

 

Those that run afoul of OFAC sanctions without a special dispensation or “license” from Treasury can face several legal repercussions, including fines of up to $20 million.

 

The Federal Bureau of Investigation (FBI) and other law enforcement agencies have tried to discourage businesses hit by ransomware from paying their extortionists, noting that doing so only helps bankroll further attacks.

 

But in practice, a fair number of victims find paying up is the fastest way to resume business as usual. In addition, insurance providers often help facilitate the payments because the amount demanded ends up being less than what the insurer might have to pay to cover the cost of the affected business being sidelined for days or weeks at a time.

 

While it may seem unlikely that companies victimized by ransomware might somehow be able to know whether their extortionists are currently being sanctioned by the U.S. government, they still can be fined either way, said Ginger Faulk, a partner in the Washington, D.C. office of the law firm Eversheds Sutherland.

 

Faulk said OFAC may impose civil penalties for sanctions violations based on “strict liability,” meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

 

“In other words, in order to be held liable as a civil (administrative) matter (as opposed to criminal), no mens rea or even ‘reason to know’ that the person is sanctioned is necessary under OFAC regulations,” Faulk said.

 

But Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury’s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and/or third-party security firms.

 

Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.

 

“In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he said. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”

 

Along those lines, OFAC said the degree of a person/company’s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

 

 

Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam