Companies hit by ransomware could find themselves in the crosshairs of the federal government if the group behind the attack is subject to economic sanctions, the Department of the Treasury warned in a new advisory.
Treasury’s Office of Assets Control notes that certain individuals or groups that use or develop ransomware strains – like Evil Corp, Lazarus Group and SamSam -- are subject to the office’s cyber-related sanctions program. Those sanctions make it illegal for most companies to directly or indirectly do business with or transfer money to individuals and entities on the list.
Companies who decide to pay up when their systems and data are infected by ransomware are at risk of violating the International Emergency Economic Powers Act or the Trading With the Enemy Act. This includes both direct payments and payments done by third parties, including cyber insurers, digital forensics firms, incident response teams or financial institutions that process ransom payments.
U.S. persons “are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by extensive country or region embargoes,” the memo states.
The penalties can leave a company open to civil penalties “even if [the payer] did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
Many experts in cybersecurity and law enforcement agencies advise companies to avoid paying ransomware groups who lock up their sensitive data. The logic behind those pleas are rooted in the explosive growth in the use of ransomware over the years from a niche malware to one of the primary threats in cybersecurity today. That growth, officials say, has largely been fueled and funded by ransom dollars collected from affected companies. And every successful payment only validates the business strategy of ransomware groups, allows for greater investment in tools and capabilities, and puts other companies at higher risk for similar attacks in the future.
The U.S. government has worked in recent years to increase the costs for high-profile criminal and state-aligned cyber groups, hitting them with criminal indictments, financially strangling their operations through sanctions and cutting off the ability for individuals to travel around the globe. Officials believe ransom payments from companies threaten national security interests, and the OFAC memo says payments sent to sanctioned individuals and groups “could be used to fund activities adverse to the national security and foreign policy objectives of the United States.”
Some former government officials, like Rob Knake, who worked as director of Cybersecurity Policy on the National Security Council under the Obama administration, have argued in favor of making it illegal for companies to pay ransomware groups.
Criminal groups have "built these organizations starting from that $50 ransomware from your grandmother's computer, taking that money and reinvesting it in their capability and so what we're seeing today is the result of that," Knake said in May. "We have grown these criminal enterprises, we have paid their R&D budgets and now they are targeting us and we are in very bad shape."
However, what’s good for the overall cybersecurity ecosystem may be bad for an individual company that is facing the prospect of having their sensitive data erased or sold on the black market, a setback that can cripple or ruin a business depending on whether they have adequate backups stored offsite and a road-tested incident response plan.
Attribution for ransomware attacks also can take time that targeted organizations don't have.
"OFAC already provides a list of sanctioned entities. Victim organizations are required to check the list prior to paying extortion demands," said FireEye Chief Technology Officer Charles Carmakal. "However, the true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions."
Further complicating matters, victims sometimes pay threat actors before they are sanctioned. Carmakal pointed to victims of “SamSam” ransomware operators as an example, many of whom paid before knowing they were based in Iran.
It’s also not just private industry being targeted; critical infrastructure, governments and school systems have all increasingly become targets of ransomware, often because they provide essential services and cannot afford to shut down or halt operations for very long.
“What if the victim is a hospital? A city government?” asked Phil Reitinger, a former deputy under secretary for the federal government’s primary civilian cyber agency and current president and CEO of the non-profit Global Cyber Alliance. “It seems to me those who most ardently oppose ransom payments are those who don’t have to deal with real consequences.”
In the memo, OFAC advises financial institutions and private companies to create risk-based compliance programs around ransomware to mitigate exposure to sanctions violations and promptly contact federal law enforcement. A company’s “self-initiated, timely and complete report of a ransomware attack to law enforcement” will be a significant factor in OFAC’s determination around penalties or enforcement actions.