Treasury Department warns that ransom payments could violate US sanctions.
The US Treasury Department's Office of Terrorism and Financial Intelligence issued two advisories last week warning that ransomware payments could potentially violate US sanctions if the money ends up in the hands of sanctioned individuals or entities.
Treasury's Office of Foreign Assets Control (OFAC) stated that it "may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC." The statement goes on to say, "As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations."
The Treasury Department's Financial Crimes Enforcement Network issued a separate statement regarding the role of financial institutions and companies that assist victims of ransomware attacks:
"The prevalence of ransomware attacks has led to the creation of companies that provide protection and mitigation services to victims of ransomware attacks. Among these entities are digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). Some DFIR companies and CICs, as well as some MSBs [money services businesses] that offer CVCs [convertible virtual currencies], facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Depending on the particular facts and circumstances, this activity could constitute money transmission. Entities engaged in money services business activities (such as money transmission) are required to register as an MSB with FinCEN, and are subject to BSA obligations, including filing suspicious activity reports (SARs). Persons involved in ransomware payments must also be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity."
The Record notes that the US government as a whole has offered mixed guidance on paying ransoms. The FBI has officially maintained that victims shouldn't pay the ransom because it funds further criminal behavior, but the Bureau has acknowledged that "executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers." The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) similarly advises against paying ransom, but asks victims to notify the government if they do decide to pay.
The Treasury Department's statements represent the strongest counsel to date against paying ransom demands. OFAC cites North Korea's Lazarus Group and the Russian cybercriminal group Evil Corp as two examples of sanctioned entities that have engaged in ransomware activities in the past, but the advisory doesn't address the difficulties of attribution or suggest how organizations can determine whether they're dealing with a sanctioned attacker. One of the key actionable takeaways, however, is OFAC's exhortation that victims and intermediaries be transparent and cooperative with law enforcement. OFAC states that it will "consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome."