Businesses, governments and organizations affected by crippling ransomware attacks are now facing a new concern – heavy fines from the US Treasury Department for paying to recover their data.
Finance Ministry officials made the guide official in a statement issued Thursday. It warns that payments made to specific entities or to any entity in certain countries ̵
The ban applies not only to the infected group, but also to all companies or contractors with whom the security or insurance of the hacked group is engaged, including those that provide insurance, digital forensics and incident response, as well as all financial services that assist to facilitate or process ransom payments.
“Facilitating the payment of ransomware required as a result of malicious cyber activities may enable criminals and opponents with a sanction link to take advantage and achieve their illegal goals,” the consultant said. “For example, ransom payments made to sanctioned persons or to comprehensively sanctioned jurisdictions may be used to finance activities that are detrimental to the national security and foreign policy of the United States. Ransomware payments can also encourage cyber actors to participate in future attacks. In addition, paying a ransom for cyber actors does not guarantee that the victim will regain access to their stolen data. “
U.S. individuals are generally prohibited by law from engaging directly or indirectly in transactions with individuals or organizations on the OFAC Designated Citizens and Blocked Persons List, other Prohibited Lists, or in Cuba, Iran, North Korea, and other countries or regions. In recent years, the Ministry of Finance has added several well-known cyber-threat groups to its list of designations. They include:
To pay or not to pay?
Law enforcement officers and security consultants usually recommend not to pay ransom requests, as the payments only fund and encourage new attacks. Unfortunately, paying a ransom is often the fastest and cheapest way to recover. The city of Baltimore suffered a loss of more than $ 18 million after being blocked by its IT systems. The attackers behind the ransomware demanded $ 70,000. In response, some companies that claim to offer incident response services to ransomware attacks simply pay the attackers.
The council did not say on Thursday that people were not allowed to pay ransoms in any case.
“Under the OFAC Implementation Guidelines, OFAC will also consider the company’s self-initiated, timely and complete ransomware attack report against law enforcement as a significant mitigating factor in determining an appropriate enforcement outcome if the situation is subsequently determined to have sanctions. full and timely cooperation of the company with law enforcement agencies during and after a ransomware attack as an important mitigating factor in assessing a possible implementation outcome.
The adviser warned on Thursday that there are other reasons not to pay. He also explained that the bans on ransom payments are broader than many people can imagine. Fines can be imposed on anyone in the United States who, regardless of their location, engages in a transaction that causes a non-U.S. person to perform a prohibited act. OFAC may also impose civil penalties on the basis of “strict liability”, a legal principle that holds the person or group accountable, even if they did not know or had reason to know that they were dealing with someone who is prohibited by sanctions.
“Overall, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions violations,” the consultant said. “This also applies to companies that engage with victims of ransom attacks, such as those involved in providing cyber insurance, digital forensics and incident response, as well as financial services, which may include processing ransom payments ( including depository institutions and monetary services. “
The council continued that people would not be sanctioned in all cases for paying ransoms. In some cases, victims may receive a pre-release ransom payment. In other cases, the violations can be excused or mitigated.
“According to the OFAC Implementing Guidelines, OFAC will also consider the self-initiated, timely and complete report of the ransomware attack company to law enforcement as an important mitigating factor in determining an appropriate enforcement outcome if the situation is subsequently found to have sanctions.” write employees. “OFAC will also consider the company’s full and timely cooperation with law enforcement during and after a ransomware attack as an important mitigating factor in assessing a possible enforcement outcome.”
The post has been updated to add the last two paragraphs.