On Oct. 1, the United States Treasury Department Office of Foreign Assets Control (OFAC) issued an advisory concerning ransomware payments and sanctions regulations. The advisory warned that paying ransoms to sanctioned persons and entities risks violating the law. It also notes that OFAC may impose civil penalties for violations even if the person did not know, or have any reason to know, that the ransomware payment was sent to an entity under sanction.
Rapid7 has previously recommended that victims not pay ransom, consistent with guidance from U.S. government agencies.
OFAC Sanctions Risk and Ransoms
OFAC has designated numerous malicious cyber actors under its sanctions programs. These include individuals and groups that develop and use ransomware and other malware (such as the Lazarus Group cybercriminal organization involved in WannaCry 2.0), as well as persons that provide support for those activities (such as individuals that laundered cryptocurrency for the Lazarus Group). OFAC’s list of blocked persons notes certain digital currency addresses and aliases associated with sanctioned persons.
OFAC’s advisory makes clear that paying a ransom to entities under OFAC sanctions risks violating its regulations. This applies to ransomware victims paying a ransom, as well as third parties that facilitate ransom payment on behalf of victims (such as cyber insurance firms, financial institutions, transactions processors, and incident response services), even if there was no reason to know that the payment would violate the regulations.
Ransomware victims may apply to OFAC for a license to exempt the ransom payment from the sanctions regulations. However, OFAC’s advisory notes that there is a presumption of denial for license applications, as paying ransoms undermines the sanctions’ national security goals. Rather than pay the ransom, OFAC recommends victims of ransomware contact government agencies for help.
OFAC’s advisory is not itself a regulation, but instead seeks to provide explanatory guidance on existing regulations as they apply to ransomware. Although OFAC advisory did not include discussion of bug bounties, organizations should presume that payment of bug bounties to sanctioned entities would also be a violation.
Organizations that fall victim to ransomware attacks should beware the risk of violating OFAC regulations by paying a ransom to a sanctioned entity. Organizations should ensure ransomware prevention, detection, and recovery measures are in place.
Rapid7 has previously recommended against victims paying ransoms demanded by cybercriminals, consistent with the stance of U.S. government agencies like the FBI. There is no guarantee the criminals will provide the victim with the decryption keys needed to regain system access, and paying the ransom will encourage criminals to continue carrying out these attacks by funding their activity. Of course, this is much easier said than done, especially when the stakes can be so high for regaining functionality.
If victims of ransomware are considering paying the ransom, they should first attempt to determine and minimize the risk of violating OFAC regulations. This may include checking the malicious actors’ identifiers (i.e., aliases, digital currency addresses, groups affiliated with ransomware versions) against OFAC’s sanctions list, contacting OFAC through its hotline, timely reporting of the incident to an FBI field office or CISA (US-CERT), and cooperating with law enforcement during and after the attack. If a ransom payment is later discovered to be in violation of sanctions regulations, OFAC advises that these and other measures are potentially significant mitigating factors in assessing penalties.
To avoid these painful scenarios, Rapid7 believes it is critical for organizations to focus on ransomware prevention, steps to limit the impact of attacks, and plans for continuity and recovery. A fundamental best practice is to have a comprehensive playbook with people, processes, and technology ready before facing a ransomware attack.
Additional OFAC Background
OFAC administers U.S. economic sanctions programs and embargoes against designated countries, governments, groups, and individuals. Sanctions regulations may include prohibitions on directly or indirectly transferring assets, such as digital and fiat currency, to the sanctioned entity. All U.S. citizens and permanent residents, regardless of where they are located, as well as U.S. corporations and foreign branches, must comply with OFAC regulations.
The potential penalties for violating the regulations include civil and criminal monetary fines ranging from several thousand to millions of dollars, depending on the sanctions regime and the egregiousness of the violation. OFAC advises that self-reporting violations and efforts to avoid violations (such as maintaining a risk-based compliance program) are factors that may mitigate the severity of a penalty. Willfully violating the law may increase the severity of the penalty.
- Dept. of Treasury OFAC Ransomware Advisory (Oct. 1, 2020), https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001
- Dept. of Treasury FinCEN Ransomware Advisory (Oct. 1, 2020), https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory Ransomware FINAL 508.pdf
- Rapid7 Ransomware Playbook (Sep. 2020), https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-insightidr-ransomware-playbook.pdf
- Rapid7 Preventing and Detecting Ransomware Attacks, https://www.rapid7.com/solutions/ransomware/
- CISA Ransomware Guide (Sep. 30, 2020), https://www.cisa.gov/publication/ransomware-guide/