Ride the Lightning

Hit by Ransomware and Paid the Ransom? A Huge Federal Fine May Await You

October 5, 2020

First, I want to thank all the RTL readers who were so struck by this news last week that they sent me links to help cover this story. I've never had so many readers write on a single day.

The best coverage I saw came from a KrebsonSecurity post in which Krebs warned that companies which contract ransomware and pay the ransom and firms which facilitate negotiations with ransomware cybercriminals could be assessed steep fines from the federal government if the crooks who receive the ransom are already under economic sanctions.

That is what the Treasury Department warned in an October 1 advisory. The Treasury's Office of Foreign Assets Control (OFAC) said "companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."

As ransomware has escalated, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

As Krebs notes, some of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

Those that run afoul of OFAC sanctions without a special dispensation or "license" from the Treasury Department can face several legal repercussions, including fines of up to $20 million. And yeah, that's a big number.

We have noted for years that the FBI discourages the payment of ransoms because the payments simply encourage the criminals.

The practical side is that some victims decide that paying the ransom is the fastest way to get back in business. Insurance providers frequently help facilitate the payments because the ransom may be far less than what the insurer might have to pay a business that is out of commission for a significant period of time.

In real life, companies are unlikely to know whether the extortionists demanding ransomware are under sanction by the federal government. Turns out it doesn't matter. The OFAC may impose civil penalties for sanctions violations based on "strict liability," meaning that a business subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. In other words, you don't have to have any intent, nor do you need to have a reason to know about the sanction.

There's an interesting twist to this story. Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury's policies here are not new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and/or third-party security firms.

He also said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.

"In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication," he said. "There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC."

That may be true for major corporations and those who serve them, but the angst that was evident on October 1^st suggests to me that most people hadn't a clue about this issue.

It is (maybe) somewhat comforting that the OFAC has said the degree of a person/company's awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider "a company's self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus."

Our advice has always been to have an Incident Response Plan – first call your pre-identified data breach lawyer and then call the nearest FBI regional office.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson