Companies Can Be Punished for Ransomware Payoffs: Treasury

Paying ransomware demands could get a lot pricier.

The US Treasury’s Office of Foreign Assets Control (OFAC) today issued an advisory that companies that facilitate ransomware payments put themselves at risk of additional financial penalties...from the United States.

That’s because, under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), American citizens are prohibited from transacting with embargoed countries or people on OFAC’s Specially Designated Nationals and Blocked Persons List—just the sort of people likely to carry out a ransomware attack.

As ransomware attacks grow, companies have emerged to help facilitate payments to make it all go away. The advisory specifically mentions “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” alleging that they create a not-so-virtuous cycle by “encourag[ing] future ransomware payment demands.”

Ransomware is essentially malware designed to take over a computer system and render it inaccessible—unless the owner pays the asking price, usually in cryptocurrency, to have it unlocked. The FBI found a 37 percent increase in reported cases last year, and things haven’t slowed down due to COVID-19. At the onset of the coronavirus pandemic, everyone from area hospitals to the World Health Organization were hit with attacks and advised to pay in cryptocurrency.

OFAC’s warning should hardly come as a surprise, given recent high-profile attacks. 

The network for GPS company Garmin went down in July, and a week later the company confirmed a hacking group had demanded $10 million. Further reporting found that the likely culprit was a hacking group from Russia known as Evil Corp, which the Treasury Department sanctioned last December for allegedly hacking US companies on behalf of Russia.

Garmin didn’t confirm it had paid the ransom, but such a payment could have been illegal, even if Garmin contracted parties outside the US (which IEEPA and TWEA also covers). The OFAC advisory confirms that this would have been a no-no, even name-checking Evil Corp in today’s advisory.

The government’s specific worry is that paying ransomware allows groups it has designated as malicious actors—from Evil Corp to Lazarus Group out of North Korea—to get money when the entire purpose of sanctions is to starve groups (or governments) of the cash they need to operate. 

“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the release reads.

And, as the document clarifies, ignorance is not an excuse: "OFAC may impose civil penalties
for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction
may be held civilly liable even if it did not know or have reason to know it was engaging in a
transaction with a person that is prohibited under sanctions laws and regulations administered by
OFAC."

However, that doesn’t mean that ransomware payments can never be made. OFAC’s Enforcement Guidelines ask for companies in the business of facilitating ransomware payments to “implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” Those same companies should also consider their “regulatory obligations” under the Financial Crimes Enforcement Network (FinCEN), OFAC noted.