This week, the U.S. Treasury Department released a warning to alert firms who promote ransomware transfers about the likely legal ramifications arising from transmitting money to approved institutions.
The Office of Foreign Assets Management (OFAC) of the Treasury Department reports there has been a spike in ransomware attacks on U.S. organisations, which has contributed to an rise in demand for ransomware payments.
Since a ransomware attack, numerous companies from around the world, including some cities and colleges in the U.S., have spent large sums of money to retrieve their files.
The Treasury Department warns, however, that firms that accept transfers of ransomware on behalf of victims to cybercriminals not only promote potential attacks, but also risk violating OFAC regulations. Specifically, the advisory lists cyber insurance agencies, financial institutions, and emergency management providers and computer forensics firms as organisations that can facilitate payments for ransomware.
In recent years, several cyber threat actors have been sanctioned, including attacks involving malware such as Cryptolocker (linked to a Russian person), SamSam (linked to Iranians), WannaCry (linked to North Korea) and Dridex (linked to a Russian organisation), the OFAC noted.
Companies are warned that the payment of ransomware to approved persons or countries may be used to finance actions that are detrimental to the interests of the United States’ national security and foreign policy. The advisory further points out that paying the ransom not only allows the threat attacker to launch further attacks, but there is also no assurance that the user can recover access to the payments
The advisory notes: “OFAC can enforce civil fines for penalty breaches based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly responsible even though he did not know or have cause to know that he was engaged in a transaction with a person forbidden under OFAC-administered penalty laws and regulations.”
Evan Wolff, a cyber lawyer and partner at the multinational law firm Crowell & Moring, spoke in a fire-side talk at recent CISO Forum about the legal problems that CISOs might potentially face because of their actions, and one of the scenarios he discussed was paying to recover from a ransomware attack. The Treasury Department ‘s advice confirms Wolff’s alert on personal responsibility.
The advisory advises that businesses “implement a risk-based compliance scheme to reduce exposure to penalty-related violations,” and points out that disclosing a ransomware attack to law enforcement in a timely manner and coordinating with law enforcement is considered a “important mitigating factor in deciding an effective prosecution outcome if the case is ultimately decided to have a sanctions nexus.”
“A registry of sanctioned agencies is already issued by OFAC. Prior to paying ransom requests, victim organisations are expected to review the list. The real identities of cyber criminals extorting people, though, is generally not established, because it is impossible for organisations to assess if they are inadvertently breaching the United States. Sanctions from the treasury. Victims often pay threatened performers before they are disciplined. Charles Carmakal, SVP & CTO at FireEye Mandiant, told for instance, several victims have paid the ‘SamSam’ ransomware operators in the past, not recognising they were based in Iran at the time.
The entities (referred to as “EvilCorp”) associated with the Dridex banking malware have been added to the WastedLocker ransomware family in recent months. Few extort payment companies have agreed that, out of fear of breaching the U.S., they will not meet extortion fees linked with WastedLocker accidents Treasury fines,’ he said.