Making or Helping Ransomware Payments Could Mean Federal Sanctions

The first, last, and only thing most ransomware victims want is their data. Lacking good backups, organizations suffocate until they pay a ransom for the key to decrypt their networks. But now the Treasury Department warns of possible sanctions for doing that. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

The new “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” is from Treasury’s Office of Foreign Assets Control (OFAC), and the title itself is footnoted to say it “is explanatory only and does not have the force of law.” But it goes on to cite laws and regulations that could support sanctions like the Trading With the Enemy Act, 50 U.S.C. §§ 1701–06.

Sanctions come from paying the wrong kind of cyber thieves. Not run of the mill criminals, these are listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, or embargoed countries or regions. They include authors or distributors of Cryptolocker (200,000+ infections; Russian), WannaCry 2.0 (about 300,000 infections; North Korean), and Dridex ($100 million+ stolen; Russian).

OFAC’s warning covers both paying victims and “companies that engage with victims…cyber insurance, digital forensics and incident response, and financial services processing ransom payments.” The recommendations go to small and medium sized organizations, not just the very largest, but how to pay for complying with them is not discussed.

For example, you are told to implement a compliance program which accounts “for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.” What that program looks like is unclear, but it could mean both predicting sources and accurately identifying the origin of an attack once it happens.  

This is no small task. Experience teaches that few solutions can reliably identify the sources of attacks before they occur, and few attackers are located and identified even after data is decrypted or restored with backups.

Some free assistance services like ID Ransomware claim to identify the type of attack based on snippets like the ransom note. But forensic investigation of logs and other data is needed to have a chance to identify the actual location of attackers. Complicating matters, malware first developed by SDN’s or blocked persons is offered for purchase or even rent on the dark web. So the author of the ransomware may be listed by OFAC, but the specific perpetrator could be an ordinary cybercriminal.

This leads to an unstated subtext of the advisory:  OFAC wants you to always involve federal law enforcement agencies before you pay a ransom. No exceptions. This is good practice in my experience, but some clients fear the process of freeing their data will be slowed or even lost by involving federal law enforcement, and some hope to handle the situation without anyone knowing about it.

The advisory offers an inducement to overcome this resistance. OFAC will regard a company’s “self-initiated, timely, and complete report of a ransomware attack” and its “full and timely cooperation with law enforcement both during and after a ransomware attack” each as “a significant mitigating factor in determining an appropriate enforcement outcome” if the attacker turns out to be listed. The possibility of getting a license for the payment briefly noted, but denial is stated as the presumed outcome.

The Advisory has a good list of federal agency contacts, but ranked first are OFAC’s Sanctions Compliance and Evaluation Division ( ofac_feedback@treasury.gov (202) 622-2490 / (800) 540-6322 ) and its Licensing Division ( https://licensing.ofac.treas.gov / (202) 622-2480).

How these recommendations will play out in enforcement proceedings remains to be seen, but the Advisory could be offered someday as evidence that you were warned.

About Craig Pinkus

Craig Pinkus is a partner in the Intellectual Property Group. He also is a member of the Litigation and the Sports, Entertainment and Media Groups. He assists clients with a broad range of disputes and transactions involving all areas of intellectual property, entertainment, and other complex business arrangements. He has conducted trials and arbitrations throughout the United States and has argued appeals before the Seventh, Sixth and Federal Circuit Courts of Appeal, the Indiana appellate courts, and United States Supreme Court.
This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s