With the volume of ransomware attacks increasing exponentially over the past year, the federal government decided to step forward. On Oct. 1, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) posted an "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments." This document reiterates and provides details on the fine line some incident response providers, insurance companies, law firms, and others are currently walking:
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
Essentially, Treasury is signaling that organizations that pay ransomware could be at risk of prosecution for running afoul of US laws if the person or organization they're paying is on a sanctions list. For individuals in the incident response industry, this should not be a surprise.
Incident response providers should clearly explain to their customers the full scope of the response and recovery process — including how to prepare for and avoid potential regulatory pitfalls like the one outlined in the advisory. But with a lot of gray areas in their guidelines, OFAC doesn't make this easy.
Understanding the Advisory and OFAC
To better understand the new advisory, we called OFAC's Sanctions Compliance and Evaluation Division and left a message. A representative from the division called back quickly and we asked several questions about the reporting process and OFAC's role. OFAC's position is that if someone calls and provides relevant data, the office will do its best to assist. However, OFAC's lack of prescriptive guidance leads to some ambiguity on the practical implications of the advisory, and consequently breach victims must be cognizant of potential pitfalls.
Specifically, one major area of consideration we uncovered by reviewing the guidance and talking to the Sanctions Compliance Division is the fact that the guidelines assume all parties to a transaction are known to each other. In other words, each can easily be searched and found on the OFAC Sanctions list. In speaking with OFAC, we described how problematic this is likely to be for ransomware victims.
For example, in most untargeted, opportunistic ransomware attacks, the threat actors will be unknown. The ransom note will contain a burner email address and possibly a cryptocurrency wallet ID. Verifying the identity of the individual or entity on the other side of the e-mail will be all but impossible for even sophisticated security teams, let alone for the bulk of teams that have constrained resources.
In a targeted ransomware attack, the incident response provider may be able to put together enough threat intelligence based on the observed tactics, techniques, and protocols to make an educated guess on the region and/or potential threat actor group. Knowing the region may help in avoiding OFAC violations because the sanctions lists are in some cases categorized by country.
In either case, attribution is exceedingly difficult when dealing with cybersecurity threats, creating an unreasonable burden in avoiding potential sanctions from OFAC.
Cybersecurity and incident response professionals can take some comfort in the fact that the Sanctions Compliance and Evaluation Division at OFAC is aware of this gap. But we wouldn't recommend using that as a defense. The advisory recommends that organizations implement a risk-based compliance program in which "companies should account for the risk that a ransomware payment may involve a SDN (specially designated national) or blocked person, or a comprehensively embargoed jurisdiction." In other words, plan for the cost of potential OFAC violations in addition to, or as cost of responding to, a ransomware attack.
It is also worth noting that OFAC’s advisory said it "will also consider a company's self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome." Therefore, organizations should be reporting and working with law enforcement proactively during a ransomware incident, especially when negotiation and payment are being considered.
As a relevant side note, the Treasury Department's advisory included a footnote link for more information about the OFAC Compliance Commitments Framework, but more than a month after publishing, that link was still not operational. Here is a functional link to that framework.
How to Search the Sanctions Database
OFAC maintains a Consolidated Sanctions List that can be searched for individuals that are sanctioned. And even though it can be difficult or even impossible to identify an attacker, knowing how to use the OFAC database can be helpful. For example, knowing the type of ransomware impacting an organization could potentially play a role in identifying those behind it. In some cases, you can follow Treasury Department press releases such as the one in 2016 that identified Evgeniy Mikhailovich Bogachev as a sanctioned entity, given his association with the Zeus malware family. However, there is also the dynamic search, which provides much more value.
The primary place to search for sanctioned entities or individuals in connection with ransomware is under the "CYBER2" program, which is shown below.
Within this section, the results for both individuals and entities will appear such as the one below showing Evil Corp (aka the Dridex Gang, out of Moscow), the entity that was recently associated with the WastedLocker ransomware. Evil Corp has been previously associated with the Dridex malware and BitPaymer ransomware.
As an incident responder, it's important to clearly state to an organization's leadership that laws regulate ransom payments. In addition, it's important to understand the adversary. For instance, Evil Corp is just one of the sanctioned entities that appear to be selective in terms of the infrastructure it targets when deploying its ransomware. Typically, Evil Corp hits file servers, database services, virtual machines, and cloud environments. The key point here is that knowledge of the adversary's tactics helps focus on the remediation and response efforts and puts the OFAC guidance into context as well.
Leveraging the right response strategy, following the regulations, and understanding the ransom entity are the fundamentals in any ransomware outbreak. It's key to have an incident response provider or a knowledgeable expert internally who can coordinate this activity in accordance with the law. This is much more important than working with someone who simply tells you they can easily negotiate the payment.