Feds Say Ransomware Payments May Lead to Sanctions

Chances are, you’ve never heard of The Office of Foreign Assets Control (OFAC). However, if your company is trying to recover from a ransomware attack, you could unwittingly find yourself in OFAC’s crosshairs and subject to business-crippling fines and penalties.

OFAC has been called “the most powerful yet unknown agency in the U.S. government.” An agency within the Department of Treasury, OFAC implements and enforces economic sanctions against foreign states, terrorist organizations and other criminal enterprises deemed to be a threat to U.S. national security. It wields formidable clout, with the authority to enforce sanctions by imposing fines, freezing assets and even outright barring firms and individuals from operating in the U.S.

Recently, the agency has begun turning more of its attention to foreign entities responsible for increasing numbers of ransomware attacks in the U.S. In an advisory opinion issued on Oct. 1, OFAC warned that U.S. companies could face potential sanctions for making ransomware payments.

Harsh Penalties Possible

At issue is the fact that many ransomware perpetrators are part of vast international criminal groups such as North Korea’s Lazarus Group, Russia’s Evil Corp., and Iran’s APT39, all of which are under sanction by OFAC. A variety of laws and regulations, including the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), prohibit U.S. companies and citizens from engaging in any sort of direct or indirect transactions with these sanctioned groups.

The laws apply not only to companies making payments to cybercrime groups, but also anyone who facilitates payments on behalf of victims. OFAC says this includes financial institutions, cyber insurance firms and companies involved in digital forensics and incident response. Violations could result in fines of up to $20 million — even if you didn’t know you were conducting a transaction with a group on the OFAC sanctions list. However, the OFAC advisory does note that cooperation with law enforcement officials will be a significant mitigating factor in any enforcement action.

It is important to note that the OFAC advisory does not have the force of law but merely explains OFAC’s interpretation of IEEPA, TWEA and other current laws. Still, as a reflection of the agency’s legal reasoning, the advisory provides meaningful guidance about potential enforcement measures.

The advisory comes at time of surging ransomware attacks. This summer, the FBI noted it experienced a 400 percent increase in reports of ransomware attacks as criminals look to exploit the fear and uncertainty surrounding the COVID-19 pandemic.

Funding Terrorists?

Ransomware victims frequently choose to pay the ransom in order to regain access to their encrypted data. Most perceive it as a faster and more cost-effective way to restore operations when compared to trying to rebuild systems and restore everything from backup systems. According to one study, roughly three-quarters of all victims have paid the ransom this year, up from less than half in 2019.

However, OFAC notes that these payments provide critical funding for criminal organizations and in some cases may be funding terrorist attacks. For example, there are unconfirmed reports that the ISIS terrorists responsible for the 2015 Paris attacks were funded by ransomware bitcoin payments. At the very least, ransomware payments likely embolden cyber actors to engage in future attacks.

With its recent advisory, OFAC is taking a hard line against ransomware payments. Potential federal penalties should make organizations think twice about negotiating with extortionists. Your best bet is a layered security environment that helps limit the risk of an attack. SSD can help you implement a variety of tools that help identify and contain ransomware before it causes any real damage. Call us to learn more.