Officials from the Treasury Department formalized this direction in a notice published Thursday. It warns that payments made to specific entities or to any entity in certain countries – in particular, those with a designated “sanctions link” – could expose the payer to financial sanctions imposed by the Office of Foreign Assets Control, or OFAC.
The ban applies not only to the infected group, but also to all companies or contractors with which the security or insurance of the hacked group engages, including those that provide insurance, digital forensics and security. incident response, as well as any financial services that help facilitate or process ransom payments.
“Facilitating a ransomware payment that is demanded as a result of malicious cyber activity can allow criminals and sanctioned adversaries to profit and advance their illicit objectives,” the notice said. “For example, ransomware payments made to sanctioned individuals or to sanctioned jurisdictions globally could be used to fund activities contrary to US national security and foreign policy objectives. Ransomware payments can also encourage cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to their stolen data. ”
By law, U.S. persons are generally prohibited from directly or indirectly engaging in transactions with individuals or organizations on the OFAC Designated Nationals and Blocked Persons list, other prohibited lists. , or Cuba, Iran, North Korea and other countries or regions. In recent years, the Treasury Department has added several known cyber threat groups to its designation list. They include:
To pay or not to pay?
Law enforcement officials and security consultants have generally advised against paying ransomware claims, as the payments only fund and encourage further attacks. Unfortunately, paying the ransom is often the fastest and cheapest way to recover. The city of Baltimore suffered a loss of more than $ 18 million after being banned from its computer systems. The attackers behind the ransomware demanded $ 70,000. In response, some companies claiming to offer incident response services for ransomware attacks only pay the attackers.
Thursday’s notice warned there were other reasons not to pay. He further explained that the bans on paying ransoms are broader than many people might assume. Fines can be imposed on any US person who, regardless of location, engages in a transaction that causes a non-US person to perform a prohibited action. OFAC can also impose civil penalties based on “strict liability,” a legal principle that holds the person or group accountable even if they did not know or had no reason to know that they were engaging with them. a person prohibited by sanctions laws.
“In general, OFAC encourages financial institutions and other businesses to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” the notice said. “This also applies to businesses that interact with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve the processing of ransom payments. (including deposit-taking institutions and money services.