Businessmen, governments and organizations in the grip of ransomware attacks now have new concerns about the US Department of the Treasury paying huge fines that they pay to recover their data.
Treasury Department officials made that guidance official in an advisory published on Thursday. It warns that payments made to specific entities or to any entity in certain countries — specifically, with a specified “sanctions” —are subject to payer of foreign payment controls, or financial penalties imposed by the TAC’s office.
The prohibition applies not only to the group that is infected, but also to any companies or contractors involved in protecting, or protecting the hacked group, including insurance, digital forensics, and response to the incident, as well as all financial Includes services that help facilitate. Process the ransom payment.
“Facilitating ransomware payments sought as a result of malicious cyber activities can help protect criminals and opponents from sanctions and further their illegal objectives,” the advisor said. For example, ransomware payments made to sanctioned individuals or widely accepted courts may be used to fund activities for purposes of national security and foreign policy of the United States. Ransomware payments may also embrace cyber actors to engage in future attacks. Furthermore, giving ransom to cyber actors does not guarantee that the victim will gain access to their stolen data. ”
Under the law, US individuals are generally assigned to direct or indirect forms of OFAC-designed national and blocked individuals lists, other prohibited lists, or with people or organizations in Cuba, Iran, North Korea and other countries or territories. Is prohibited from transacting with. In recent years, the Treasury Department has added several known cyber-threat groups to its designation list. they include:
To Pay or Not to Pay?
Law enforcement officers and security advisors have generally advised against payment of ransomware demands because payments only fund and encourage new attacks. Unfortunately, ransom payment is often the fastest and least expensive way to recover. The city of Baltimore incurred more than $ 18 million in damages after the shutdown of its IT system. The attackers behind the ransomware demanded $ 70,000. In response, some companies claiming to offer incident-response services for ransomware attacks only pay the attackers.
Thursday’s advisor did not say that people were banned from paying ransom in all cases.
“Under OFAC’s enforcement guidelines, OFAC will consider the company’s self-initiated, timely and complete report to law enforcement, in order to determine a reasonable mitigation rule to impose appropriate sanctions, an important mitigation for law enforcement Be the factor. Nexus. OFAC will also consider the company’s full and timely cooperation with law enforcement during and after the ransomware attack when evaluating a potential enforcement outcome.
Thursday’s advisor warned that there were other reasons for non-payment. It has been further reported that the restrictions against ransom payments are wider than many. Penalties can be imposed against any American person who, regardless of location, engages in a transaction that causes a non-American person to take prohibited actions. OFAC may also impose civil penalties on the basis of “strict liability”, a legal doctrine that makes an individual or group liable, even if they do not know or know the reason why they were engaged with someone prohibited under restriction laws .
“As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to reduce the risk of sanctions-related violations,” the consultant said. “It also applies to companies that engage with victims of ransomware attacks, such as cyber insurance, digital forensics and people involved in incident response, and financial services that process ransom payments (including depository institutions and money services ). ”
The advisor said that people will not be punished for giving ransom in all cases. In some cases, victims may receive a disbursement in advance to pay the ransom. In other cases, the violation may be excused or reduced.
“Under OFAC’s enforcement guidelines, OFAC will consider the company’s self-initiated, timely and complete report to law enforcement, in order to determine a reasonable mitigation rule to impose appropriate sanctions, an important mitigation for law enforcement Be the factor. Nexus, ”the officials wrote. “OFC will also consider the company’s complete and timely cooperation with law enforcement during and after the ransomware attack when evaluating a potential enforcement outcome.”
Post updated to add the last two paragraphs.