The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has issued today an advisory that companies that facilitate the ransomware payments may put themselves at risk of additional financial penalties from the U.S.
It is because under the International Emergency Economic Powers Act (IEEPA). The Trading with the Enemy Act (TWEA), American citizens are then prohibited from transacting with embargoed countries or people on OFAC’s Specially Designated Nationals and the Blocked Persons List, from sorting the people who are likely to carry out a ransomware attack.
As ransomware attacks rise, companies have emerged to help facilitate the payments to make it all go away. The advisory particularly mentioned “financial institutions, cyber insurance firms, the companies involved in digital forensics and incident response,” assuming that it was to create a not-so-virtuous cycle for “encourag[ing] future ransomware payment demands.”
Ransomware is malware designed to take over a computer system and render it inaccessible- unless the owner paid the indicated price, usually in a cryptocurrency, to be unlocked. The FBI has found a 37% increase in the reported cases in the previous year, and then things haven’t slowed down because of COVID-19. At the onset of the pandemic, everyone from the area hospitals to the World Health Organization was hit with attacks and are advised to be paid in cryptocurrency.
Given the recent high-profile attacks, OFAC’s warning should hardly come out as a surprise.
The network for the GPS Company Garmin went down in July, and then a week later, the company has confirmed a hacking group that had demanded $10M. Further reporting has found that the likely culprit was a hacker group from Russia known as Evil Corp; it was sanctioned last December by the Treasury Department for allegedly hacking the U.S. companies on behalf of Russia.
Garmin didn’t confirm that it had paid the ransom. However, such a payment could have been illegal, even when Garmin had contracted the parties outside the U.S. The OFAC advisory confirms that this would have been prohibited, even checking Evil Corp in today’s advisory.
The government’s particular worry is that paying ransomware will allow the group to be designated as malicious actors – from Evil Corp to Lazarus Group out of North Korea – to get money when the entire purpose of sanctions to starve the groups of the cash needed to operate.
And, as the document clarifies, unawareness is not an excuse: “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
On the other hand, it doesn’t even mean that the ransomware payments can never be made. OFAC’s Enforcement Guidelines have asked for companies in the business of facilitating ransomware payments to “implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” The same companies should also consider the “regulatory obligations” under the Financial Crimes Enforcement Network (FinCEN), OFAC stated.