author photo
By Bruce Sussman
Mon | Oct 5, 2020 | 4:00 AM PDT

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) recently issued an advisory on ransomware.

This was not about the cybercrime itself, but instead, the regulatory trouble your organization could face for facilitating ransomware payments.

The OFAC advisory on these cybercrime payments specifically warns financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims that they may be violating OFAC regulations.

U.S. Treasury: ransomware continues to increase

The Treasury Department says more companies are paying ransom to cybercriminals, and the worldwide pandemic is a part of this:

"Demand for ransomware payments has increased during the
COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."

Ransomware groups may be sanctioned; paying could be trouble

The Treasury Department says it declares certain ransomware gangs and cybercrime groups as sanctioned for their actions. Others are linked to a country facing U.S. sanctions, which Treasury calls a cyber nexus.

So paying or facilitating a payment to these groups may lead your organization to violate U.S. regulations and hand money over to sanctioned groups or governments which can help fund their efforts to attack the U.S. in cyberspace or elsewhere.

Here are four examples of ransomware groups sanctioned by OFAC in the last few years:

1. "Starting in 2013, a ransomware variant known as Cryptolocker was used to infect more than 234,000 computers, approximately half of which were in the United States. OFAC designated the developer of Cryptolocker, Evgeniy Mikhailovich Bogachev, in December 2016."

2. "Starting in late 2015 and lasting approximately 34 months, SamSam ransomware was used to target mostly U.S. government institutions and companies, including the City of Atlanta, the
Colorado Department of Transportation, and a large healthcare company. In November 2018, OFAC designated two Iranians for providing material support to a malicious cyber activity and
identified two digital currency addresses used to funnel SamSam ransomware proceeds."

3. "In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal
organization sponsored by North Korea. OFAC designated the Lazarus Group and two subgroups, Bluenoroff and Andariel, in September 2019."

4. "Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial
institutions in over 40 countries, causing more than $100 million in theft. In December 2019, OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and distribution of the Dridex malware."

The International Emergency Economic Powers Act (IEEPA) and the
Trading with the Enemy Act (TWEA) generally prohibit U.S. persons or entities from engaging in transactions with sanctioned, embargoed, or blocked entities, governments, and groups.

Is paying a ransom illegal?

If this is the first you're hearing of a rule like this, you are not alone. That is why the U.S. Treasury issued the advisory.

But cyber lawyers across the U.S. are suddenly getting questioned about whether this means paying a hacker's ransom is illegal or not.

Ted Kobus of BakerHostetler put it like this: "The U.S. government disfavors payments of ransom, but there is no general ban."

In other words, generally speaking, paying a hacker's ransom is not illegal. Although beyond this, you must ask which hacker or hacking group are you paying? Are they sanctioned entities?

And cyber attorney Jordan Fischer of XPAN Law Group says answering this question can be difficult. And it is why you should contact federal law enforcement if you get hit with a ransomware attack:

"This advisory reiterates that companies need to be working with law enforcement to obtain relevant information regarding the ransomware, and to help mitigate the exposures and risks.

Often, law enforcement will have a more global picture of the ransomware incident, and can more easily determine who the probable actor is. This will help to provide guidance to organizations as they respond to the incident, and then how to appropriately address payment and other options."

And Fischer says it is a reminder of how complex cyber incidents can be:

"Yes, ransomware is a known threat. But, addressing it comes with multiple layers: how did the infiltration occur? Was data exfiltrated? What is the goal of the actor? Can you restore your systems? All of these questions require input from a variety of internal and external actors before any money is used to address the situation."

See Jordan Fischer present at SecureWorld Texas on October 22, 2020, on "The Changing Legal Enforcement in Cyber and Privacy."

Also, read the OFAC Ransomware Payment Advisory for more information.