Companies that facilitate ransomware payments risk violating US sanctions

Companies that ransomware-hit US organizations hire to facilitate the paying of the ransom are at risk of breaking US sanctions, falling afoul of the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) regulations and may end up paying millions in fines.

These include financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.

What is the OFAC?

The Office of Foreign Assets Control of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals.

Sanctions can be enforced against foreign countries/regimes, organized groups and individuals that “threaten the national security, foreign policy or economy of the United​ States”. Ransomware-wielding gangs fall in that category.

In a security advisory published on Thursday, the OFAC mentioned the developer of Cryptolocker, Iranian supporters of SamSam ransomware-wielding gangs, the Lazarus Group (a cybercriminal organization sponsored by North Korea that used the WannaCry ransomware) and Evil Corp, a Russia-based cybercriminal organization that wields the Dridex malware, as malicious cyber actors under its cyber-related sanctions program.

The advisory’s salient points

“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data,” the OFAC explained.

“OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. Victims should also contact the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a US financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.”

OFAC might issue a special license allowing them to perform the transaction (the paying of the ransom), but each application “will be reviewed by OFAC on a case-by-case basis with a presumption of denial.”

Also, it won’t matter if the ransomware gangs involved are from countries under US sanctions or under sanctions themselves.

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the advisory pointed out.

To pay or not to pay?

If would be best, of course, if a ransomware-hit organization didn’t have to pay the ransom in order to quickly recover their IT capabilities and return to functioning as normal, but sometimes paying up is the only option if they want to stay afloat and/or keep providing vital services.

In and of itself, paying a ransom is not against the law, but if the payment is made to an entity or individual under US sanctions, the action is technically illegal.

But, according to Dissent Doe, FBI and Secret Service officials that attended a panel at the Privacy + Security Forum in Washington, D.C., a year ago confirmed that the US government has never prosecuted any victim for paying ransom.

The same panel, which also gathered private sector lawyers and a representative of a consulting firm, also unanimously confirmed that in an overwhelming majority of cases, victims end up getting the decryption key and their data back after paying up.

“So although the public isn’t told this clearly because the government wants to discourage it, I will repeat what I have been saying for quite a while: for some entities, paying ransom will just be a business decision based on how much money they will lose if they cannot function due to the ransomware attack,” Doe noted.

A (potential) fine levied by the US government then becomes just a factor in that equation.