Companies, governments, and organizations affected by crippling ransomware attacks now have a new concern to contend with – large fines from the U.S. Department of the Treasury if they pay to recover their data.
Treasury Department officials named this advisory official in a statement released Thursday. It warns that payments to specific entities or to any entity in specific countries ̵
The ban applies not only to the group that is infected, but also to all companies or contractors that the hacked group’s security or insurance deals with, including those that provide insurance, digital forensics and incident response, as well as all financial services that help with facilitating or processing ransom payments.
Activation of criminals
“Facilitating a ransomware payment required as a result of malicious cyber-activities may enable criminals and adversaries with a sanctions context to monetize and advance their illegal targets,” the adviser said. “For example, ransomware payments to sanctioned individuals or to extensive sanctioned jurisdictions could be used to fund activities that are unfavorable to U.S. national security and foreign policy objectives. Ransomware payments can also stimulate cyber actors to participate in future attacks. In addition, paying a ransom to cybercriminals does not guarantee that the victim regains access to its stolen data. ”
By law, US individuals are generally prohibited from engaging directly or indirectly in transactions with individuals or organizations on OFAC’s list of designated citizens and blocked persons, other prohibited lists or in Cuba, Iran, North Korea and other countries or regions. In recent years, the Ministry of Finance has added several well-known cyber threat groups to its list of names. They include:
To pay or not to pay?
Police and security consultants have generally advised against paying ransomware claims because the payments only fund and encourage new attacks. Unfortunately, it is often the fastest and cheapest way to get paid ransom. The city of Baltimore incurred a loss of more than $ 18 million after being locked out of its IT systems. Attackers behind the ransomware had demanded $ 70,000. In response, some companies that claim to offer incident services for ransomware attacks simply pay the attackers.
Thursday’s advice did not say that people are in any case forbidden to pay ransom.
“Under OFAC’s enforcement guidelines, OFAC will also consider a company’s self-initiated, timely and complete report of a ransomware attack on law enforcement as a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have sanctions. OFAC will also Consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack as a significant mitigating factor when assessing a possible enforcement outcome.
Thursday’s advice warned that there are other reasons not to pay. It further explained that the bans on ransom payments are broader than many people assume. Fines may be imposed on any U.S. person who, regardless of location, is involved in a transaction that causes a non-U.S. Person to perform a prohibited act. OFAC can also impose civil sanctions based on “strict liability”, a legal principle that holds the person or group liable even if they did not know or had reason to know that they were in contact with someone who is prohibited under the Sanctions Act .
“In general, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanction-related violations,” the adviser said. “This also applies to companies engaging with victims of ransomware attacks, such as those involved in the provision of cyber insurance, digital forensics and incident response, and financial services that may involve the processing of ransom payments (including depository and money services).”
The adviser went on to say that people will not in all cases be punished for paying ransom. In some cases, victims may receive a waiver in advance to pay a ransom. In other cases, violations can be excused or remedied.
“According to OFAC’s enforcement guidelines, OFAC will also consider a company’s self-initiated, timely and complete report of a ransomware attack on law enforcement as a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have sanctions. nexus, ”wrote officials. “OFAC will also consider a company’s full and timely cooperation in law enforcement both during and after a ransomware attack as a significant mitigating factor when assessing a possible enforcement outcome.”
Posts updated to add the last two paragraphs.