Treasury Dept Advisory Underscores Sanction Risks Associated with Ransomware Payments
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory on the risks of potential sanctions for any organization facilitating ransomware payments. The advisory cautions that Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC Regulations. This includes banks, insurance companies, or anyone else who negotiates or helps deal with attackers sanctioned by OFAC.
Ransomware payment demands can often soar into the millions of dollars for major corporations
Although paying the ransom to a cybercriminal may be the fastest to restore operations, it encourages and funds future malicious cyber activities. There is no guarantee that the ransomware attacker will actually release the compromised systems or files. And there is never a guarantee that the attacker has not made a copy of the compromised data to sell on the dark web or using future cyberattacks like phishing emails.
The advisory is not a change in policy, but rather a reminder to organizations on how sanctions apply to ransomware attackers.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” says OFAC Download the advisory here.
Notice of the advisory’s release was posted on the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) website.
Ransomware is a type of malicious computer code that takes control of a computer system, IT network, and/or encrypts files to deny access to the rightful owner. Ransomware attackers maintain access and control of the compromised systems until their ransom demands are paid.
A ransomware attack may be the work of a state-sponsored threat actor. Payments made to sanctioned jurisdictions are contrary to national security and foreign policy objectives of the United States.
According to CISA, a Ransomware attack strikes a new victim every 14 seconds. “Financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims may be violating OFAC regulations,” says CISA.
OFAC’s designations of malicious cyber actors
The attackers responsible for Cryptolocker, SamSam ransomware, WannaCry 2.0, Dridex malware are all sanctioned by OFAC. The US Treasury designates and imposes sanctions on the attackers behind malware and ransomware attacks as part of various sanctions programs. That means any company doing business with these hackers – which includes paying a ransom- risks penalties from the US Government.
Protect users and computers against ransomware attacks
Outdated applications and unpatched operating systems are the attack vector for many ransomware attacks.
- Keep all apps, software, hardware, and operating systems updated with the latest security patches.
- Never click on a link in an email from someone you don’t know
- Scrutinize any email containing links or attachments. Read our guide on how to spot a phishing email.
- Never open an email attachment from someone you don’t know or if you were not expecting a document to be sent to you
- Backup all data and systems on a regular schedule. Keep a copy of the backups offline
- Do not rely on backups stored on the same server as the original data
- Read CISA’s Good Security Habits for more information
- Train employees in cybersecurity best practices
U.S. government resources for reporting ransomware attacks
“Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus,” says the OFAC advisory.