OFAC Advisory Warns of Civil Penalties for Ransomware Payments
The US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory alert on October 1, 2020, that serves as a warning to entities who have been or will be the victim of a ransomware attack. The five-page advisory states that any company that pays a ransom to a criminal threat actor or any entities that facilitate the payment, “including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” may be in violation of OFAC regulations and subject to fines.
Ransomware has long been a concern for organizations, both in the United States and abroad, having crippled hospitals, municipalities, educational entities and private companies of all industries in recent years. In the advisory, OFAC notes that this year’s new wave of ransomware attacks have been “more focused, sophisticated, costly, and numerous.” This assessment is supported by the frequent and increasingly urgent alerts issued by the Federal Bureau of Investigation (FBI) within the past year that have detailed the rise of ransomware and the advanced and rapidly evolving tactics of threat actor organizations, many of which now steal an organization’s data prior to encrypting its systems as additional leverage in extorting their victims.
WHY DO RANSOMWARE VICTIMS PAY THE RANSOM?
In recent years, ransomware criminal activity has become a multibillion-dollar industry. Threat actor groups have experienced great success in tailoring their attacks to inflict the most pain on their targets, leaving victimized companies with few viable options in the attack’s aftermath. For a variety of reasons, many victimized companies end up paying the ransom. The encrypted data may be vital to the victim company’s operation and may not have been properly backed up prior to the attack. Or paying the ransom may be the less expensive option for a cash-strapped company than engaging in the painstaking rebuild of company systems and databases. Other entities may choose to pay off the threat actor in hopes of avoiding the public release of sensitive information, especially in light of increasing instances of data exfiltration preceding the deployment of ransomware.
Shortly after discovering a ransomware attack, the victimized company must make the critical decision whether to engage in negotiations with the threat actor to pay the ransom or refuse to pay and go it alone in the effort to recover systems and data. Leaders of victimized entities will consider a variety of factors in making this determination, including the affordability of the ransom, criticality of the affected systems and data, ability to independently recover and evidence available regarding the attack. While the imposition of OFAC civil penalties for payments to sanctioned individuals or entities has long been a risk to be considered, the new guidance appears to significantly increase the likelihood that such penalties will actually be imposed on entities who pay such ransoms.
INTENDED EFFECTS OF OFAC ADVISORY WARNING
OFAC seeks to disincentivize threat actors by targeting their revenue sources—the entities whose data have been exfiltrated and/or encrypted, and who have chosen to pay the ransom demanded. In the advisory, OFAC makes clear its view that payment of a ransom encourages threat actor organizations to engage in future ransomware attacks. The OFAC advisory also states that entities that pay ransoms enable threat actor organizations by providing them with funds to act in opposition to the United States’ national security and foreign policy interests.
In an effort to decrease the likelihood that victim companies and their facilitators will pay ransoms demanded by threat actor organizations, OFAC plans to throw its weight behind its enforcement authority under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) by warning of sanctions for those companies that choose to pay. In accordance with these longstanding laws, US persons, regardless of their location, are prohibited from engaging in transactions with organizations listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons or those subject to embargoes.
Moreover, as noted in the advisory, OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that the victim entity could be in violation of OFAC’s regulations even if it did not know or have reason to know that the threat actor responsible for the compromise of its systems was a sanctioned entity or in a sanctioned jurisdiction.
OFAC’s advisory appears to acknowledge that, despite the potential penalties, some ransomware victims will pay the ransom. The advisory notes that OFAC will consider a certain factors when determining the appropriate enforcement response for apparent violations of its regulations.
First, OFAC encourages companies to put in place a risk-based sanctions compliance program that is adequate to mitigate exposure to sanctions-related violations. OFAC will consider “the existence, nature, and adequacy” of such a program, including whether the compliance program accounts for risk that paying a ransom may result in payment to an sanctioned entity.
Second, OFAC will consider the victim company’s cooperation and coordination with law enforcement. OFAC notes that “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement” will be considered a “significant mitigating factor.”
Although not specified in the advisory, violations of OFAC sanction regulations can result in steep monetary penalties. Entities that violate these laws without a license from the Department of Treasury could face a fine of up to $20 million.
OFAC’S LIKELY IMPACT ON INCIDENT RESPONSE
The OFAC guidance, framed in the black-and-white lens of IEEPA and TWEA—glosses over the reality that definitive attacker attribution is one of grayest areas in any incident response. Only very rarely do affected entities, their forensic security advisors or even law enforcement claim to have identified with certainty the source of the incident. Even when a threat actor appears to claim responsibility for an attack, significant effort—and luck—are required to verify that an attacker is who it says it is.
In the immediate aftermath of a ransomware attack, victim entities are nearly always focused less on determining who is behind the attack than on ensuring business continuity, protecting customer, employee and company confidential data, reassuring business partners and rebuilding encrypted systems. The OFAC advisory attempts to force a significant re-prioritization, making attacker attribution the primary issue for entities with limited options.
As noted above, the OFAC warning is not exclusive to entities crippled by ransomware. Other players in the cybersecurity ecosystem, including entities that negotiate and facilitate ransom payments and cyber insurance companies, are also on notice that they can be held liable for violations of OFAC regulations. As claims for coverage associated with ransomware attacks skyrocket, some have perceived insurers to be willing to pay ransoms where they are the less expensive option, and have approved negotiation by specialized third-party firms, particularly when the threat actor has threatened to publicly release sensitive data. After the OFAC advisory, negotiators, cyber insurers and others may become more risk averse and may refuse to negotiate or cover ransom payments unless the victim company can demonstrate that the threat actor is not on the SDN List or part of an otherwise blocked or embargoed entity or self-fund the ransom payment on their own.
NEW DECISIONS CONCERNING LAW ENFORCEMENT COOPERATION
Another strategic decision facing victim companies is whether to notify and cooperate with law enforcement agencies such as the FBI. For entities that intend to pay the ransom, working with law enforcement could result in useful information sharing that might lead to more accurate attacker attribution. Further, coordination with law enforcement could result in more leniency from OFAC if the payment of the ransom turns out to violate OFAC regulations. The federal government has focused much attention in recent years on strengthening its partnership with private sector entities on issues related to information security and cyberattacks by supporting and encouraging information sharing. The Department of Homeland Security created the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 for purposes of facilitating the flow of information between companies and government agencies related to suspected and actual cyberattacks. The FBI continues working to improve its rapport with private businesses on a proactive and reactive basis by sharing indicators of compromise and offering new leads wherever possible. In instances where the ransomware victim notifies law enforcement and learns that the threat actor is believed to be a sanctioned entity, the company will likely have tied its own hands, precluding a decision to make the ransom payment anyway.
The OFAC advisory raises the stakes for victimized companies in the immediate aftermath of a ransomware attack. The crucial decision of whether to pay the ransom now comes with additional risk of legal scrutiny by a powerful federal agency and the possibility of steep fines.
Companies will need to consider what a “risk-based sanctions compliance program that is adequate to mitigate exposure to sanctions-related violations” means in the context of anticipating a ransomware attack and should revise their incident response plan to include a plan for sanction compliance. In the event of a ransomware incident, the company’s senior leaders should be briefed on OFAC risks so they may take those risks into account in their decision-making. Last but not least, entities should continue to focus their attention on proactive cybersecurity, as well as disaster recovery and business continuity procedures, particularly data backups, to mitigate the risk that they will be forced to pay a ransom.