US Treasury Advisories Cite Potential Sanctions for Ransomware Payments

June 1, 2021
IT Security

When ransomware strikes, giving in to the attackers’ demands is seldom a good thing. While doing so might enable an organization to regain access to its data (that’s what Colonial Pipeline and Garmin did), it makes that organization more susceptible to future extortion attempts. It also emboldens the cyber criminals to continue their exploits. That’s why law enforcement agencies and cyber security experts generally recommend against paying ransoms.

Learn how to combat ransomware. Download Enemy at the Gate

There’s also the possibility that ransomware payments may be used to fund illicit and/or illegal activities such as money laundering or human rights abuses. When that happens, the companies making ransom payments risk violating US government regulations — even though they’re the victims of the ransomware attack.

 Two advisories issued by U.S. Department of the Treasury’s Office of Terrorism and Financial Intelligence in October 2020 bring attention to this issue and the potential for organizations that make or facilitate ransom payments to find themselves on the wrong side of the law. That not only includes the victims of ransomware attacks. Companies that provide cyber insurance, digital forensics and incident response, and financial services organizations that process ransom payments are also at risk.

The key takeaways from the advisories: to avoid the risk of violating US sanctions, organizations need:

  • Reliable data backup so if they fall victim to a ransomware attack, they don’t have to pay to regain data access.
  • Strong data security and compliance programs to mitigate the risk of ransomware or other cyberattacks in the first place.

The OFAC Advisory

Many of the players behind ransomware attacks are entities and individuals — sometimes even specific countries — on the Treasury’s Office of Foreign Assets Control (OFAC)’s Specially Designated Nationals and Blocked Persons List (“SDN List”). Investigative agencies have identified several criminal actors conducting ransomware attacks as having ties to or residing in countries such as North Korea, Iran, and Russia.

Remember back in May 2017 when the ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries? The attack was linked to the Lazarus Group, a cybercriminal organization sponsored by North Korea. It’s on the SDN List.

Entities and individuals make the list because of their suspected involvement in criminal activities and activities that could threaten national security. It’s not surprising that the US government wants to prevent funds from reaching any individual or entity on the list — including ransomware payments. The advisory issued by the OFAC makes that clear.

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” states:

“Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).

“Additionally, any transaction that causes a violation under the International Emergency Economic Powers Act (IEEPA), including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations.”

Not knowing that an organization is on the SDN List is no excuse. The advisory notes that OFAC may impose sanctions even if the victim didn’t know or have reason to know it was engaging in a transaction with a person prohibited under OFAC-administered sanction laws and regulations.

Of course, there may be legitimate reasons for certain transactions with restricted entities. In these situations, organizations can obtain a license from OFAC. However, there’s no guarantee that the license will be approved — even in the cases of ransomware.

What the OFAC does recommend in the event an organization falls victim to ransomware is that, rather than paying a ransom,  it works with the authorities to catch the cyber criminals and mitigate potential penalty exposure.

The FinCEN Advisory

The same day the OFAC released its advisory, the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued one of its own entitled “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments.”

Educational in nature, the advisory provides insightful information on:

  • The role of financial intermediaries in the processing of ransomware payments, and the use of convertible virtual currency (CVC)
  • Trends and typologies of ransomware and associated payments, including the increasing sophistication of ransomware operations
  • Ransomware-related red flags (financial indicators)
  • Reporting and sharing information related to ransomware attacks — specifically the obligations for U.S. Financial Institutions regarding Suspicious Activity Reporting (SAR) and the USA PATRIOT ACT Section 314(b)

The advisory makes it clear that it’s not just the victims of ransomware that are at risk of penalties for paying off cyber criminals. The organizations that assist them in doing so face repercussions as well.

What the Advisories Mean for You

If you read other blogs about the advisories, you’ll find there are those in the IT industry that find some of the information vague, confusing or even unfair. Regardless, the bottom line is that ransomware is not to be taken lightly. If and when ransomware strikes, giving in to the attackers’ demands can have an extremely negative, far-reaching impact that goes beyond a company’s own data.

It’s not a hopeless situation, however. Implementing a robust, reliable data protection program — and staying on top of regulatory requirements and government and industry data security and privacy guidelines — can help mitigate attacks and minimize damage if they do occur. Specific things you can do, include:

  • Proactively protecting against ransomware with the latest data protection technologies and best practices. That includes frequent employee training.
  • Monitoring your systems (yourself or outsource the task) to detect ransomware or other data breaches.
  • Implementing a plan to minimize downtime and damages if you do identify or suspect ransomware
  • Deploying and regularly testing a comprehensive disaster recovery plan that includes reliable backup, replication and recovery tactics to ensure the integrity and availability of your data. If you always have copies of your data, you’ll be less likely to be in position to have to pay a ransom to regain data access.
  • Implementing leading-edge security technologies and managed security services to further protect your data and IT systems. This can help you with the next item.
  • Frequently reviewing your compliance obligations for all relevant regulatory requirements, government mandates and industry standards — and employing the necessary processes and technologies to meet them. Seek outside expertise if needed.

 

US Signal Can Help

To learn more about combatting ransomware—and avoiding situations that could put your organization at odds with the US Treasury if you should be a victim of ransomware, take advantage of US Signal’s free data protection resources.

Download now: 12-Point DR Planning List 

Or, talk to US Signal. Our solution architects and compliance experts can assess your current data protection efforts and help you develop and implement a plan that can better prepare for you ransomware and other business-disrupting situations. Two services you may want to consider including: Managed Firewall and Vulnerability Management as a Service (with SOC Analysis). Watch for future blogs about them.

Contact us now. 866.2.SIGNAL or email: [email protected]