The first, last, and only thing most ransomware victims want is their data. Lacking good backups, organizations suffocate until they pay a ransom for the key to decrypt their networks. But now the Treasury Department warns of possible sanctions for doing that. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
The new “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” is from Treasury’s Office of Foreign Assets Control (OFAC), and the title itself is footnoted to say it “is explanatory only and does not have the force of law.” But it goes on to cite laws and regulations that could support sanctions like the Trading With the Enemy Act, 50 U.S.C. §§ 1701–06.
Sanctions come from paying the wrong kind of cyber thieves. Not run of the mill criminals, these are listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, or embargoed countries or regions. They include authors or distributors of Cryptolocker (200,000+ infections; Russian), WannaCry 2.0 (about 300,000 infections; North Korean), and Dridex ($100 million+ stolen; Russian).
OFAC’s warning covers both paying victims and “companies that engage with victims…cyber insurance, digital forensics and incident response, and financial services processing ransom payments.” The recommendations go to small and medium sized organizations, not just the very largest, but how to pay for complying with them is not discussed.
For example, you are told to implement a compliance program which accounts “for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.” What that program looks like is unclear, but it could mean both predicting sources and accurately identifying the origin of an attack once it happens.
This is no small task. Experience teaches that few solutions can reliably identify the sources of attacks before they occur, and few attackers are located and identified even after data is decrypted or restored with backups.
Some free assistance services like ID Ransomware claim to identify the type of attack based on snippets like the ransom note. But forensic investigation of logs and other data is needed to have a chance to identify the actual location of attackers. Complicating matters, malware first developed by SDN’s or blocked persons is offered for purchase or even rent on the dark web. So the author of the ransomware may be listed by OFAC, but the specific perpetrator could be an ordinary cybercriminal.
This leads to an unstated subtext of the advisory: OFAC wants you to always involve federal law enforcement agencies before you pay a ransom. No exceptions. This is good practice in my experience, but some clients fear the process of freeing their data will be slowed or even lost by involving federal law enforcement, and some hope to handle the situation without anyone knowing about it.
The advisory offers an inducement to overcome this resistance. OFAC will regard a company’s “self-initiated, timely, and complete report of a ransomware attack” and its “full and timely cooperation with law enforcement both during and after a ransomware attack” each as “a significant mitigating factor in determining an appropriate enforcement outcome” if the attacker turns out to be listed. The possibility of getting a license for the payment briefly noted, but denial is stated as the presumed outcome.
The Advisory has a good list of federal agency contacts, but ranked first are OFAC’s Sanctions Compliance and Evaluation Division ( firstname.lastname@example.org (202) 622-2490 / (800) 540-6322 ) and its Licensing Division ( https://licensing.ofac.treas.gov / (202) 622-2480).
How these recommendations will play out in enforcement proceedings remains to be seen, but the Advisory could be offered someday as evidence that you were warned.