Organizations that are unexpectedly snagged by a ransomware attack are often tempted to simply pay whatever is demanded of them and hope for the best; the potential downtime and recovery cost often appears to be much worse. The US Treasury is now advising that this may not be the case. The department issued an advisory in early October that warns of potential sanctions violations if ransomware payments are made, citing the possibility of civil penalties even in cases when the organization is not aware of exactly whom the payments are going to.
US Treasury changes the calculus
The recent report from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) encourages organizations to contact the government before making any ransomware payments, providing a list of agencies and resources that are available. The report establishes that any determination of sanctions violations would be situational, and would depend “significantly” on the organization’s efforts to contact these agencies and their cooperation with law enforcement requests and instruction. The fines could range up to about $300,000 depending on the payment amount.
The US Treasury issues this warning amidst a period of elevated hacking activity taking advantage of new opportunities created by the Covid-19 pandemic, particularly ransomware attacks. The first half of 2020 saw a 109% increase in ransomware attacks, amidst a 273% increase in large-scale data breaches. Malicious cyber attackers are primarily taking advantage of new opportunities created by the mass shift to work-from-home models; “shadow IT” solutions for getting work done, insecure personal devices and networks, and increased opportunities for phishing among other causes. As of the second quarter of 2020, security firm Coveware reports that ransomware payments are up 60% to an average of $178,254 per incident.
OFAC has placed a number of known malicious actors and facilitators of ransomware payments on the Specially Designated Nationals and Blocked Persons List. These include the creators of the Cryptolocker, Dridex, WannaCry and SamSam ransomware families. Sanctions extend not just to the named individuals (a list populated with notorious hacking teams such as Lazarus Group and EvilCorp), but also to any known affiliates and associates. While those using the ransomware may not be tied to these sanctioned individuals, one usually has no way of knowing exactly who the ransomware payments are going to.
The US Treasury has clarified that ransomware payments will count as violations of the sanctions on these individuals, even if they are made in an attempt to recover from an emergency. The agency sees these payments as having high potential to be put toward activities that threaten the national security of the United States, and may embolden malicious cyber actors to engage in further attacks. OFAC’s “strict liability” interpretation means that violations are possible even if the identity of the attacker (or whomever is facilitating ransomware payments on their behalf) is not known when the money is turned over.
The potential penalty, described in the OFAC Economic Sanctions Enforcement Guidelines, is civil and would consist of a fine. OFAC has broad latitude to determine if fines are applied and how much is charged in each individual case, and this in turn hinges on the organization’s attempts to get law enforcement involved and willingness to cooperate. Other elements that are considered are any available information that would indicate a risk of the attacker being on the OFAC sanction list, and any Financial Crimes Enforcement Network (FinCEN) regulations an organization might be subject to.
The US Treasury is not taking ransomware payments entirely off the table as an incident response measure, but it is requiring organizations and security firms to get in touch with the appropriate government agencies first and to apply for a license. While the report does not list specific conditions for obtaining a license, a reasonable assumption would be in a case of immediate and severe public harm such as the lockout of a hospital, banking network or utility service.
Negotiating ransomware payments
Tim Erlin, VP for product management and strategy at Tripwire, notes that this is not a new law or US Treasury policy but a firmer reiteration of the status quo regarding ransom payments: “This advisory isn’t a change in the law, but more a reminder of how the current law applies to ransomware incidents. The US Treasury Department is reminding the industry of the potentially big stick they’ve always had in their back pocket.”
OFAC is advising organizations, particularly financial organizations subject to added FinSEC regulations, to implement a risk-based compliance program to mitigate potential exposure to sanctions violations for victims of ransomware attacks that might feel the need to make a payment. The primary takeaway appears to be that the US Treasury or whatever US law enforcement agencies are relevant should be looped in immediately before any decision to make ransomware payments is made. According to Karen Walsh, cyber security compliance expert and the principal at Allegro Solutions: “In the end, the advisory doesn’t really change anything, but it does support financial institutions whose customers may be upset about a payment to a cybercriminal being rejected … As a former Bank Secrecy Act/Anti-Money Laundering auditor, I see the OFAC advisory as a reminder to financial institutions and a first notification to corporations. The OFAC SDN list and FinCEN regulatory requirements are a financial services industry staple, but organizations not bound by these regulatory requirements likely have no idea they exist or how detailed the lists are … a company that has already agreed to paying a ransom may not be able to make good on that promise, leaving them worse off than before.”
Edgard Capdevielle, CEO at Nozomi Networks, also sees the US Treasury advisory as a reminder of the ever-increasing importance of a preventive security program and a robust backup system as an alternative to paying ransoms: “Ransomware attacks and other cyberthreats will remain constant as our personal lives and business operations continue to digitalize. That’s why choosing to pay a ransom is too often a short-sighted response that could come at a high cost. Research has shown that paying a ransom can double the cost of recovery. Building, maintaining and constantly improving an organization’s cybersecurity program is always the best approach and there are certainly tools available today that provide cost effective solutions … When it comes to ransomware attacks, prevention will always be better than a cure.”