Treasury Department Gives Warning of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has cautioned that organizations that pay ransom to cyber actors on behalf of attack victims may have to confront sanctions risks for breaking OFAC regulations. Ransomware attack victims that pay ransom demands to threat actors could also face high fines from the federal government in case it is found out that the hackers responsible for the attacks are actually under economic sanctions.

OFAC explained that ransomware payment demands have gone up throughout the COVID-19 pandemic as cybercriminals focus on online systems that U.S. individuals depend on to keep on doing business. Organizations that facilitate ransomware payments to cybercriminals on behalf of victims, such as financial companies, cyber insurance companies, and companies engaged in electronic forensics and incident response, not just promote future ransomware payment demands but furthermore may risk infringing OFAC rules.

OFAC sanctioned many people involved in ransomware attacks in the last few years:

  • two Iranians thought to be behind the SamSam ransomware attacks that began in late 2015
  • the Lazarus Group of North Korea behind the May 2017 WannaCry 2.0 ransomware attacks
  • Evil Corp and its head, Maksim Yakubets, who are responsible for the Dridex malware
  • Evgeniy Mikhailovich Bogachev, who was identified as the creator of Cryptolocker ransomware, first launched in December 2016

Making ransom payments to sanctioned individuals or jurisdictions endanger U.S. national security pursuits. Facilitating a ransomware payment that is required due to malicious cyber activities might allow hackers and enemies with a sanctions nexus to get profit and move forward their dubious objectives.

U.S. people are usually forbidden from doing direct or indirect dealings, with people or agencies on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked people, and those under the extensive region or country embargoes.

Civil monetary penalties may be charged for sanctions infringement, even though the individual violating sanctions was not aware that they were doing a transaction with an individual that’s banned under sanctions rules and regulations enforced by OFAC. Any individual facilitating or paying ransom demands to sanctioned persons, groups, or regimes could get a financial fine as much as $20 million.

A lot of entities never make known ransomware attacks or report them to authorities to steer clear of bad publicity and legal problems, however by not filing a report they are hindering attack investigations by authorities. OFAC mentioned in its alert that the financial intelligence and enforcement firm will look at a company’s prompt and full report of a ransomware attack to law enforcement to be a substantial mitigating factor in identifying a proper enforcement result when the situation is afterward established to have a sanctions nexus.

The alert additionally contains contact data for victims of ransomware attacks to find out in case there are sanctions enforced on cyber attackers, and if a ransom payment may entail a sanctions nexus.

OFAC has given warning against paying a ransom. Not only does it mean breaking OFAC policies, but it also does not give certainty that ransom payment will end in the valid keys being provided. The attackers also might not delete the stolen information, and they could demand more ransom. Ransom payment could also embolden attackers to carry out other attacks.

OFAC has merely given advice and cautioned of sanctions risks when payments are made to some threat actors. Besides enforcing a restriction on paying a ransom, the attacks are most likely to stay because of being lucrative. Only if the attacks stop being profitable will cybercriminals probably stop carrying out attacks.