Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2020
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

An alarming new advisory issued today by the federal government could upend ransomware response.

As if getting hit with ransomware wasn't stressful enought, there's now a new element to worry about besides whether you'll get your data and servers back: paying ransom to a cybercriminal or group that has been hit with sanctions by the US Treasury Department.

In a surprising advisory issued today that likely will cause consternation among cybersecurity professionals and organizations faced with ransomware attacks, the Treasury's Office of Foreign Assets Control (OFAC) warned of possible US policy violations for organizations or individuals who pay ransom to ransomware attackers who have been officially sanctioned by OFAC. 

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory said. 

Although law enforcement officials and experts advise victim organizations not to pay when hit with ransomware attacks, many victims have had to cough up cryptocurrency if they don't have protected backups of their locked-down systems, for example.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: What Legal Language Should I Look Out for When Selecting Cyber Insurance?

The advisory notes that the act of paying ransom to sanctioned individuals risks having those funds then used against the US.

"For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data," the advisory said.

The alarming advisory cites the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), which prohibit US citizens from "engaging in transactions, directly or indirectly, with individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons." That includes countries and regions such as Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.

OFAC warned that paying ransom to a sanctioned entity could result in civil penalties, regardless of whether or not the victim or third-party facilitator knew they were sending money to a sanctioned entity. 

It warns third parties who negotiate or provide support for ransom payments for the victim to make a plan.

"As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," it advised. "This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services." 

But the good news, if any, here is that the Treasury OFAC will cut ransomware victims some slack if they provide a "timely, complete report" of the attack to law enforcement.

"OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome," the advisory said.

And if a victim believes a ransomware attacker may be a sanctioned entity, OFAC says they should contact the Treasury's Office of Cybersecurity and Critical Infrastructure Protection "immediately."

Last month the Treasury imposed sanctions on Iran's APT39 (aka Chafer and ITG07) hacking team, as well as on 45 other associates and a front company known as Rana Intelligence Computing Company as part of a coordinated federal government effort to crack down on Iran's hacking of US interests.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florian_Zeeb
50%
50%
Florian_Zeeb,
User Rank: Apprentice
10/7/2020 | 8:18:39 PM
To pay or not to pay, this is the question
In general, I firmly believe that we should not negotiate with criminals or terrorists or respond to their demands but...

What happens when the company must make a decision between payment or bankruptcy? when there is no other option to restore the IT systems, if the disaster recovery and business continuity plans are not working?

If a company have appropriated security measures in place but the attack is so sophisticated that the last option to stay in business is to pay the ransom shouldn't it be considered?

 

Florian
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.