Following a ransomware attack, many firms choose to pay the ransom demand to obtain the keys to decrypt files and prevent the sale or publication of data stolen in the attack. Many choose to use third party companies to negotiate with the attackers and pay the ransom. Payment of the ransom is not recommended by the FBI, as there is no guarantee that valid keys to decrypt files will be provided and payment of a ransom encourages threat actors to conduct further attacks. However, in some cases, payment of the ransom is the only option when it is not possible to recover data by any other means.
Last week, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory, warning that in some cases, payment of a ransom could result in sanctions and penalties for the entity that pays the ransom.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” said OFAC.
“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
OFAC has sanctioned some threat actors over the use of ransomware on U.S. organizations. For instance, the developer of Cryptolocker ransomware, two Iranians who provided support to SamSam ransomware, Evil Corp which is behind Dridex malware and WastedLocker ransomware, and the Lazarus group, which was involved in the May 2017 WannaCry 2.0 ransomware attacks.
Many threat actors have ties to foreign governments, which have led to sanctions. For instance, the Lazarus group operates on behalf of the North Korean government. Any payment of a ransom to one of the groups that have been sanctioned carries OFAC sanctions risks. OFAC explained that paying a ransom to any sanctioned entity could see the profits from the attacks used to advance their cause and could fund further malicious activities which threaten national interests.
“Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited, U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations,” explained OFAC.
In the event of a ransomware attack, victims and firms engaged by victims to contact the attackers should first contact OFAC to find out if the threat actors have been sanctioned, and they can them make an informed decision on the best course of action.
“Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus,” OFAC explained.