Enterprises affected by ransomware could be in trouble with the federal government if the group behind the incident is subject to economic sanctions, the Department of the Treasury warned in a newly released advisory.
The Treasury’s Office of Assets Control notes that certain entities using ransomware strains are answerable to the office’s cyber-related sanctions program, which makes it illegal for most corporations to transfer money to such entities on the Blocked Persons List described in detail below.
Companies who decide to pay when their systems are infected by ransomware are at risk of violating the International Emergency Economic Powers Act or the Trading with the Enemy Act. Specifically, this includes both direct payments as well as payments through third parties, including cyber insurers, digital forensics firms, incident response teams, or financial institutions that process ransom payments.
U.S. persons “are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by extensive country or region embargoes,” the memorandum asserts.
As a result, a company can be open to civil penalties, “even if [the payer] did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
Many experts in cybersecurity and law enforcement agencies advise companies to avoid paying ransomware groups who lock up their sensitive data. The logic behind those pleas are rooted in the explosive growth in the use of ransomware over the years from a niche malware to one of the primary threats in cybersecurity today. That growth, officials say, has largely been fueled and funded by ransom dollars collected from affected companies. And every successful payment only validates the business strategy of ransomware groups, allows for greater investment in tools as well as capabilities, and puts other companies at higher risk for similar attacks in the future.
The U.S. government has worked in recent years to increase the costs for high-profile criminal and state-aligned cyber groups; hitting them with criminal indictments, financially strangling their operations through sanctions, and cutting off the ability for individuals to travel around the globe. Officials believe ransom payments from companies threaten national security interests, and the OFAC memorandum says payments sent to sanctioned groups “could be used to fund activities adverse to the national security and foreign policy objectives of the United States.”
*Some former government officials, like Rob Knake, who worked as director of Cybersecurity Policy on the National Security Council under the Obama administration, have argued in favor of making it illegal for companies to pay ransomware groups.
Criminal groups have “built these organizations starting from that $50 ransomware from your grandmother’s computer, taking that money, reinvesting it in their capability, and so what we’re seeing today is the result of that,” Knake said in May. “We have grown these criminal enterprises; we have paid their R&D budgets, now they are targeting us, and we are in very bad shape.”
However, what’s good for the overall cybersecurity ecosystem may be bad for an individual company that is facing the prospect of having their sensitive data erased or sold on the black market, a setback that can cripple or ruin a business depending on whether they have adequate backups stored off-site and a road-tested incident response plan.
Attribution for ransomware attacks also can take time that targeted organizations do not have.
“OFAC already provides a list of sanctioned entities. Victim organizations are required to check the list prior to paying extortion demands,” said FireEye Chief Technology Officer Charles Carmakal. “However, the true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions.”
Further complicating matters, victims sometimes pay threat actors before they are sanctioned. Carmakal pointed to victims of “SamSam” ransomware operators as an example, many of whom paid before knowing they were based in Iran.
It’s also not just private industry being targeted; critical infrastructure, governments, and school systems have all increasingly become targets of ransomware, often because they provide essential services and cannot afford to shut down or halt operations for very long.
“What if the victim is a hospital? A city government?” asked Phil Reitinger, a former deputy secretary for the federal government’s primary civilian cyber agency and current president as well as CEO of the non-profit Global Cyber Alliance. “It seems to me those who most ardently oppose ransom payments are those who don’t have to deal with real consequences.”
In the memorandum, OFAC advises financial institutions and private companies to create risk-based compliance programs around ransomware to mitigate exposure to sanctions violations and promptly contact federal law enforcement. A company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” will be a significant factor in OFAC’s determination around penalties or enforcement actions.