The U.S. Department of the Treasury has issued an advisory for companies that help negotiate ransomware payments. A footnote to the advisory notes that it is “explanatory only and does not have the force of law. It does not modify statutory authorities, Executive Orders, or regulations. It is not intended to be, nor should it be interpreted as, comprehensive or as imposing requirements under U.S. law, or otherwise addressing any particular requirements under applicable law. Please see the legally binding provisions cited for relevant legal authorities.”
The advisory begins:
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
The advisory contains the now-familiar explanations as to why paying ransom of facilitating ransom payments is undesirable:
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.
But then the advisory turns to how assisting or facilitating a payment may violate Office of Foreign Assets Control (OFAC) regulations, noting:
As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.
So a company struggling to get its network back up and running and dealing with a ton of issues, should add more “immediate” notifications and considerations into the mix, even though those agencies are not going to be helping them recover from the attack? And the companies they retain to help them deal with the threat actors also have more to consider or risk? [Update: BakerHostetler subsequently published their commentary that raises a good point about how the FBI may help the entity figure out the attribution and whether there is a nexus to any sanctioned entity.]
The government has a valid argument about not supporting our adversaries by payments. But is it tying the hands of businesses and entities that may fold totally if they decide not to pay? Does the greater good apply and we should just accept that hospitals or vital services may fold rather than make ransom payments to those on sanctioned lists or with a nexus to sanctioned entities?
The full advisory is embedded below or can be downloaded from Treasury’s web site.
DataBreaches.net reached out to Coveware to ask their reaction to the advisory, as they are a one of the premier firms when it comes to helping ransomware victims negotiate payments with threat actors, but no answer has been received as yet.