Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2020
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

An alarming new advisory issued today by the federal government could upend ransomware response.

As if getting hit with ransomware wasn't stressful enought, there's now a new element to worry about besides whether you'll get your data and servers back: paying ransom to a cybercriminal or group that has been hit with sanctions by the US Treasury Department.

In a surprising advisory issued today that likely will cause consternation among cybersecurity professionals and organizations faced with ransomware attacks, the Treasury's Office of Foreign Assets Control (OFAC) warned of possible US policy violations for organizations or individuals who pay ransom to ransomware attackers who have been officially sanctioned by OFAC. 

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory said. 

Although law enforcement officials and experts advise victim organizations not to pay when hit with ransomware attacks, many victims have had to cough up cryptocurrency if they don't have protected backups of their locked-down systems, for example.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: What Legal Language Should I Look Out for When Selecting Cyber Insurance?

The advisory notes that the act of paying ransom to sanctioned individuals risks having those funds then used against the US.

"For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data," the advisory said.

The alarming advisory cites the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), which prohibit US citizens from "engaging in transactions, directly or indirectly, with individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons." That includes countries and regions such as Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.

OFAC warned that paying ransom to a sanctioned entity could result in civil penalties, regardless of whether or not the victim or third-party facilitator knew they were sending money to a sanctioned entity. 

It warns third parties who negotiate or provide support for ransom payments for the victim to make a plan.

"As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," it advised. "This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services." 

But the good news, if any, here is that the Treasury OFAC will cut ransomware victims some slack if they provide a "timely, complete report" of the attack to law enforcement.

"OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome," the advisory said.

And if a victim believes a ransomware attacker may be a sanctioned entity, OFAC says they should contact the Treasury's Office of Cybersecurity and Critical Infrastructure Protection "immediately."

Last month the Treasury imposed sanctions on Iran's APT39 (aka Chafer and ITG07) hacking team, as well as on 45 other associates and a front company known as Rana Intelligence Computing Company as part of a coordinated federal government effort to crack down on Iran's hacking of US interests.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florian_Zeeb
50%
50%
Florian_Zeeb,
User Rank: Apprentice
10/7/2020 | 8:18:39 PM
To pay or not to pay, this is the question
In general, I firmly believe that we should not negotiate with criminals or terrorists or respond to their demands but...

What happens when the company must make a decision between payment or bankruptcy? when there is no other option to restore the IT systems, if the disaster recovery and business continuity plans are not working?

If a company have appropriated security measures in place but the attack is so sophisticated that the last option to stay in business is to pay the ransom shouldn't it be considered?

 

Florian
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...