The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions.
“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Several individuals involved in ransomware attacks over the past few years have been sanctioned by OFAC, including the Lazarus Group from North Korea which was behind the WannaCry 2.0 ransomware attacks in May 2017, two Iranians believed to be behind the SamSam ransomware attacks that started in late 2015, Evil Corp and its leader, Maksim Yakubets, who are behind Dridex malware, and Evgeniy Mikhailovich Bogachev, who was designated the developer of Cryptolocker ransomware, which was first released in December 2016.
Paying ransoms to sanctioned persons or jurisdictions threatens U.S. national security interests. OFAC explained: “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. US persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.”
Civil monetary penalties may be imposed for sanctions violations, even if the person violating the sanctions was unaware that they were engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. Any facilitator or payer of ransom demands to sanctioned individuals, entities, or regimes could face a financial penalty up to $20 million.
Many entities do not disclose ransomware attacks or report them to law enforcement to avoid negative publicity and legal issues, but by failing to report the attacks they are hampering law enforcement investigations. OFAC explained in its advisory that the financial intelligence and enforcement agency will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
The advisory also includes contact information for victims of ransomware attacks to discover if there are sanctions imposed on threat actors, and whether payment of a ransom may involve a sanctions nexus.
OFAC has advised against paying any ransom demand. Not only does payment of a ransom risk violating OFAC regulations, there is no guarantee that payment of the ransom will result in valid keys being supplied to decrypt data, the criminals may not delete stolen data, and they could issue further ransom demands. Payment of a ransom may also embolden cyber actors to engage in further attacks.
OFAC has only offered advice and warned of sanctions risks if payments are made to certain threat actors. Aside from implementing a ban on paying any ransom payment, the attacks are likely to remain profitable and will continue. Only when the attacks cease to be profitable are cybercriminals likely to stop conducting attacks.