Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2020
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

An alarming new advisory issued today by the federal government could upend ransomware response.

As if getting hit with ransomware wasn't stressful enought, there's now a new element to worry about besides whether you'll get your data and servers back: paying ransom to a cybercriminal or group that has been hit with sanctions by the US Treasury Department.

In a surprising advisory issued today that likely will cause consternation among cybersecurity professionals and organizations faced with ransomware attacks, the Treasury's Office of Foreign Assets Control (OFAC) warned of possible US policy violations for organizations or individuals who pay ransom to ransomware attackers who have been officially sanctioned by OFAC. 

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory said. 

Although law enforcement officials and experts advise victim organizations not to pay when hit with ransomware attacks, many victims have had to cough up cryptocurrency if they don't have protected backups of their locked-down systems, for example.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: What Legal Language Should I Look Out for When Selecting Cyber Insurance?

The advisory notes that the act of paying ransom to sanctioned individuals risks having those funds then used against the US.

"For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data," the advisory said.

The alarming advisory cites the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), which prohibit US citizens from "engaging in transactions, directly or indirectly, with individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons." That includes countries and regions such as Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.

OFAC warned that paying ransom to a sanctioned entity could result in civil penalties, regardless of whether or not the victim or third-party facilitator knew they were sending money to a sanctioned entity. 

It warns third parties who negotiate or provide support for ransom payments for the victim to make a plan.

"As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," it advised. "This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services." 

But the good news, if any, here is that the Treasury OFAC will cut ransomware victims some slack if they provide a "timely, complete report" of the attack to law enforcement.

"OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome," the advisory said.

And if a victim believes a ransomware attacker may be a sanctioned entity, OFAC says they should contact the Treasury's Office of Cybersecurity and Critical Infrastructure Protection "immediately."

Last month the Treasury imposed sanctions on Iran's APT39 (aka Chafer and ITG07) hacking team, as well as on 45 other associates and a front company known as Rana Intelligence Computing Company as part of a coordinated federal government effort to crack down on Iran's hacking of US interests.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florian_Zeeb
50%
50%
Florian_Zeeb,
User Rank: Apprentice
10/7/2020 | 8:18:39 PM
To pay or not to pay, this is the question
In general, I firmly believe that we should not negotiate with criminals or terrorists or respond to their demands but...

What happens when the company must make a decision between payment or bankruptcy? when there is no other option to restore the IT systems, if the disaster recovery and business continuity plans are not working?

If a company have appropriated security measures in place but the attack is so sophisticated that the last option to stay in business is to pay the ransom shouldn't it be considered?

 

Florian
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.