US Treasury warns ransomware attack payments could trigger investigation
Ransomware has become a cyber-pandemic in the U.S., prompting the U.S. Treasury Department to issue a stern warning about paying a ransom to criminals.
The advisory, which cites “sanctions risks” from ransomware payments, is aimed at companies that “facilitate ransomware payments to cyber actors on behalf of victims.”
Those companies include financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) said.
The advisory warns specifically against payments to “malicious cyber actors” on the Specially Designated Nationals and Blocked Persons List (SDN List) and cites bad actors linked to Iran, Russia, Syria and North Korea, among others.
In a textbook ransomware attack, the attacker locks critical files and then provides instructions on how to unlock the files — provided that the victim pays. Recently, in some cases, criminals also threaten to expose sensitive files.
The problem is, ransom payments “not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” the advisory said.
Ransomware payments made to “sanctioned persons” could also be used to fund activities against the U.S., the advisory added.
The varying success of ransomware attacks is a reason behind the jump in attempts to extort schools and hospitals this year.
At least 128 federal and state entities, health care providers and educational establishments were impacted by ransomware during the first and second quarters, according to Emsisoft.
This summer, the University of California, San Francisco said it paid $1.14 million to a ransomware group.
Earlier this year, at an IT security conference, an FBI agent said that ransoms of $144.35 million were paid between January 2013 and July 2019, according to ZDNet.
Karen Walsh, cybersecurity compliance expert and the principal at Allegro Solutions, told Fox News that organizations may be oblivious to the existing regulations.
The OFAC’s SDN List and the Treasury’s Financial Crimes Enforcement Network (FinCEN) regulatory requirements are “a financial services industry staple, but organizations not bound by these regulatory requirements likely have no idea they exist or how detailed the lists are.”
Financial institutions are required by law to reject or block payments sent to individuals on the SDN list, Walsh said.
Even if victims try to pay, they may find “that their bank blocked the payment because the recipient is on the SDN list. As such, a company that has already agreed to pay a ransom may not be able to make good on that promise, leaving them worse off than before,” Walsh added.
The OFAC said it may impose civil penalties if payments are made to blacklisted entities. “A person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the Treasury said.
The Treasury added that, in the case of an apparent violation, a compliance program “is a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).”
The upshot is, victims should contact the OFAC before thinking about making a payment.