Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2020
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

An alarming new advisory issued today by the federal government could upend ransomware response.

As if getting hit with ransomware wasn't stressful enought, there's now a new element to worry about besides whether you'll get your data and servers back: paying ransom to a cybercriminal or group that has been hit with sanctions by the US Treasury Department.

In a surprising advisory issued today that likely will cause consternation among cybersecurity professionals and organizations faced with ransomware attacks, the Treasury's Office of Foreign Assets Control (OFAC) warned of possible US policy violations for organizations or individuals who pay ransom to ransomware attackers who have been officially sanctioned by OFAC. 

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory said. 

Although law enforcement officials and experts advise victim organizations not to pay when hit with ransomware attacks, many victims have had to cough up cryptocurrency if they don't have protected backups of their locked-down systems, for example.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: What Legal Language Should I Look Out for When Selecting Cyber Insurance?

The advisory notes that the act of paying ransom to sanctioned individuals risks having those funds then used against the US.

"For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data," the advisory said.

The alarming advisory cites the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), which prohibit US citizens from "engaging in transactions, directly or indirectly, with individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons." That includes countries and regions such as Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.

OFAC warned that paying ransom to a sanctioned entity could result in civil penalties, regardless of whether or not the victim or third-party facilitator knew they were sending money to a sanctioned entity. 

It warns third parties who negotiate or provide support for ransom payments for the victim to make a plan.

"As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," it advised. "This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services." 

But the good news, if any, here is that the Treasury OFAC will cut ransomware victims some slack if they provide a "timely, complete report" of the attack to law enforcement.

"OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome," the advisory said.

And if a victim believes a ransomware attacker may be a sanctioned entity, OFAC says they should contact the Treasury's Office of Cybersecurity and Critical Infrastructure Protection "immediately."

Last month the Treasury imposed sanctions on Iran's APT39 (aka Chafer and ITG07) hacking team, as well as on 45 other associates and a front company known as Rana Intelligence Computing Company as part of a coordinated federal government effort to crack down on Iran's hacking of US interests.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florian_Zeeb
50%
50%
Florian_Zeeb,
User Rank: Apprentice
10/7/2020 | 8:18:39 PM
To pay or not to pay, this is the question
In general, I firmly believe that we should not negotiate with criminals or terrorists or respond to their demands but...

What happens when the company must make a decision between payment or bankruptcy? when there is no other option to restore the IT systems, if the disaster recovery and business continuity plans are not working?

If a company have appropriated security measures in place but the attack is so sophisticated that the last option to stay in business is to pay the ransom shouldn't it be considered?

 

Florian
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20092
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
CVE-2020-21342
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
CVE-2020-25713
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
CVE-2020-27823
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27830
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.