Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2020
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

An alarming new advisory issued today by the federal government could upend ransomware response.

As if getting hit with ransomware wasn't stressful enought, there's now a new element to worry about besides whether you'll get your data and servers back: paying ransom to a cybercriminal or group that has been hit with sanctions by the US Treasury Department.

In a surprising advisory issued today that likely will cause consternation among cybersecurity professionals and organizations faced with ransomware attacks, the Treasury's Office of Foreign Assets Control (OFAC) warned of possible US policy violations for organizations or individuals who pay ransom to ransomware attackers who have been officially sanctioned by OFAC. 

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory said. 

Although law enforcement officials and experts advise victim organizations not to pay when hit with ransomware attacks, many victims have had to cough up cryptocurrency if they don't have protected backups of their locked-down systems, for example.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: What Legal Language Should I Look Out for When Selecting Cyber Insurance?

The advisory notes that the act of paying ransom to sanctioned individuals risks having those funds then used against the US.

"For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data," the advisory said.

The alarming advisory cites the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), which prohibit US citizens from "engaging in transactions, directly or indirectly, with individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons." That includes countries and regions such as Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.

OFAC warned that paying ransom to a sanctioned entity could result in civil penalties, regardless of whether or not the victim or third-party facilitator knew they were sending money to a sanctioned entity. 

It warns third parties who negotiate or provide support for ransom payments for the victim to make a plan.

"As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," it advised. "This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services." 

But the good news, if any, here is that the Treasury OFAC will cut ransomware victims some slack if they provide a "timely, complete report" of the attack to law enforcement.

"OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome," the advisory said.

And if a victim believes a ransomware attacker may be a sanctioned entity, OFAC says they should contact the Treasury's Office of Cybersecurity and Critical Infrastructure Protection "immediately."

Last month the Treasury imposed sanctions on Iran's APT39 (aka Chafer and ITG07) hacking team, as well as on 45 other associates and a front company known as Rana Intelligence Computing Company as part of a coordinated federal government effort to crack down on Iran's hacking of US interests.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florian_Zeeb
50%
50%
Florian_Zeeb,
User Rank: Apprentice
10/7/2020 | 8:18:39 PM
To pay or not to pay, this is the question
In general, I firmly believe that we should not negotiate with criminals or terrorists or respond to their demands but...

What happens when the company must make a decision between payment or bankruptcy? when there is no other option to restore the IT systems, if the disaster recovery and business continuity plans are not working?

If a company have appropriated security measures in place but the attack is so sophisticated that the last option to stay in business is to pay the ransom shouldn't it be considered?

 

Florian
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.