US Govt Warns Of Sanction Risks For Facilitating Ransomware Payments

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) today said that organizations that assist ransomware victims to make ransom payments are facing sanctions risks as their actions could violate OFAC regulations.

OFAC’s advisory comes after the FBI said in February 2020 that, based on its analysis of collected ransomware bitcoin wallets and ransom notes, ransomware victims have paid to their attackers at least $140 million between January 2013 and July 2019.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” OFAC explains.

OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

The advisory published today by the financial intelligence and enforcement agency also includes contact information to be used when dealing with threat actors asking for ransomware payments who might be sanctioned or have a sanctions nexus.

While the advisory highlights ransomware payments sanctions risks, OFAC says that it “is explanatory only and does not have the force of law,” and that it shouldn’t be interpreted as “imposing requirements under U.S. law.”

Also Read: Deemed Consent PDPA: How Do Businesses Comply?

Victims encouraged to disclose attacks to avoid sanctions

OFAC reassures companies who get hit by a ransomware attack that disclosing the incident to law enforcement and their collaboration during the investigation would be considered when evaluating future sanction risks they may face after a ransomware payment.

As companies prefer to avoid legal issues and negative publicity, many ransomware attacks go unreported to law enforcement.

Unfortunately, this means that law enforcement is not provided indicators of compromise, which hamper their investigations into ransomware operations.

By reducing the potential risks of sanctions violations if reported to law enforcement, OFAC’s guidance could allow an increase of disclosures to the FBI.

“Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus,” the Department of Treasury agency says.

“OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.”

The Treasury urges victims to immediately contact OFAC when they believe that a ransomware payment request may involve a sanctions nexus to avoid future sanction risks themselves.

Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.

Sanctioned ransomware gangs

Among the ransomware groups that OFAC has added to its sanctions list, the advisory mentions the developer of Cryptolocker, Iranian actors connected to SamSam ransomware, three North Korean hacking groups, and the Evil Corp cybercrime group:

• Sanctioned the developer of Cryptolocker ransomware, Evgeniy Mikhailovich Bogachev, in December 2016 (Cryptolocker was used to infect more than 234,000 computers starting in 2013, approximately half of which were in the US)

• Sanctioned two Iranians for providing material support to SamSam ransomware in November 2018 (SamSam was used to target mostly U.S. government institutions and companies starting in late 2015 and lasting approximately 34 months)

• Lazarus Group and two sub-groups, Bluenoroff and Andariel, were sanctioned in September 2019 (these groups were linked to WannaCry 2.0 ransomware that infected approximately 300,000 computers in at least 150 countries in May 2017)

• Evil Corp and its leader, Maksim Yakubets, were sanctioned in December 2019 (the Russia-based cybercrime organization used Dridex malware harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft starting with 2015; Evil Corp has recently added WastedLocker ransomware to its arsenal)

“OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities,” the agency concludes.

Also Read: MAS Technology Risk Management Guidelines

Expected developments by those involved in ransomware recovery

OFAC’s statement was no surprise for at least one company involved in ransomware incident response as Coveware’s CEO Bill Siegel told BleepingComputer.

“Today’s statement by the Department of Treasury should come as no surprise given the current environment,” Siegel said. “The payment of a ransom IS the revenue line item for the cyber extortion economy and should be avoided by all means by any victim.”

“Navigating the compliance aspects of this decision is complex and opaque to a victim of ransomware who has likely never dealt with an incident of this nature. For these express reasons, Coveware has maintained a sanctions and financial crime compliance program since its founding so that we and the victims of ransomware who we serve can assess and mitigate the risks that the Department of Treasury outlined.

“Coveware also keeps its own internal restricted list, which includes additional threat actor groups, jurisdictions, and ransomware variants that we restrict, even though these groups may not be directly listed on the OFAC sanctions list. We prohibit any engagements that involve unauthorized payments to entities listed on the SDN list, and multiple other international sanctions lists.

“We have also voluntarily reported our case data to law enforcement every quarter since inception in an effort to augment active investigations.  We are glad the Department of Treasury and other agencies are creating awareness of this problem by outlining these risks for the public.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have also issued a joint ransomware guide yesterday that details ransomware prevention actionable best practices and a ransomware response checklist.

H/T Alon Gal (UnderTheBreach)

Update: Added Bill Siegel’s statement.