U.S. Government Warns Companies of Legal Risk for Paying Ransom to Cybercriminals
The unprecedented rise of ransomware attacks has placed enormous strain on businesses and organizations that are already reeling from the devastating financial impact of the global COVID-19 pandemic. While companies are grappling with pandemic-related business disruptions ranging from widespread layoffs to remote operations, these same organizations are increasingly finding themselves victims of cyber-attacks that threaten to shut their businesses down unless hefty ransom payments are made to cybercriminals. Recently, however, the U.S. government has not so gently reminded companies that they, their cyber insurers and third parties that assist in facilitating payments to cybercriminals might be subject to liability and hefty penalties under federal laws. On October 1, 2020, the U.S. Department of the Treasury issued an advisory on potential risks of sanctions for organizations that facilitate ransom payments.
Rise in Ransomware Attacks
Ransomware attacks are known generally to encrypt an organization’s servers and files, which essentially are held hostage by cybercriminals in exchange for a ransom payment in Bitcoin or other form of cryptocurrency. If an organization does not have viable current backups to restore their systems, they may have no choice but to pay the ransom. A relatively recent trend is for cybercriminals to use the ransomware attack as a smokescreen to steal data and then threaten to publish this information unless a hefty ransom is paid. New and evolving variants of ransomware such as Maze and Netwalker are regularly seen to exfiltrate data. Faced with the added risk of reputational harm that could have debilitating economic consequences, even organizations with viable backups are deciding to pay a ransom in the hope that the cybercriminals are true to their word.
As recently noted by one cyber expert, Coveware, there was a 33 percent increase in the average ransom payment, from the end of 2019 to the first quarter of 2020, to $111,605. Coveware further notes that cybercriminals have taken advantage of the economic and workplace disruptions caused by the COVID-19 outbreak to target a variety of organizations, including professional services firms, IT managed service providers (MSPs) and schools. Often, the cybercriminals access an organization’s network via poorly secured remote desktop protocol (RDP) access points by stealing credentials that can be purchased for as little as $20 on the Dark Web.
Risk of Sanctions for Facilitating Ransom Payments
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory (Advisory) warning cyber insurers, financial institutions and other organizations that facilitate ransom payments to cybercriminals that such actions “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”1 Cyber insurers are concerned as they have been trying to “curb” exposure to vulnerable customers as costs go up. The important question raised regarding this public advisory is whether victims who are insured will still decide to make payments.
As explained in the OFAC Advisory, U.S. laws – including the International Emergency Economic Powers Act (IEEPA)2 and the Trading with the Enemy Act (TWEA)3 – prohibit U.S. persons or entities from engaging in direct or indirect transactions with individuals or entities identified on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) and Sectorial Sanctions Identifications List (SSI List), among others.4 These laws have a long arm and may apply also to non-U.S. persons or organizations that assist U.S. persons in facilitating IEEPA-sanctioned transactions and vice versa.5 In particular, OFAC cautions that companies that facilitate ransom payments (including financial institutions, cyber insurers, digital forensics and incident response firms) to blacklisted cybercriminals may be violating OFAC regulations.6
Notably, in the past few years, OFAC has designated various threat actors under its cyber-related sanctions programs. For instance, in December 2016, OFAC designated the developer of the ransomware variant known as Cryptolocker. In November 2018, OFAC designated two Iranians for malicious cyber activity in connection with the SamSam ransomware variant along with two digital currency addresses used to funnel SamSam ransom payments. In September 2019, OFAC designated the North Korean–based Lazarus Group linked to the WannaCry cyber-attack that infected 300,000 computers in 150 countries. In December 2019, OFAC designated Russian-based Evil Corp for their development and distribution of the Dridex malware that infected computers and stole login credentials from banks and financial institutions in 40 countries, resulting in the theft of $100 million.
In short, OFAC will impose sanctions on these and other cybercriminals and those who materially assist, sponsor or provide financial, material or technological support for these activities.7 Facilitating a ransomware payment enables criminals with a “sanctions nexus” to profit and advance their illicit aims.
According to one source, a U.S. company that was hit with a ransomware attack facilitated a $10 million ransom payment to the Russian hacking group known as Evil Corp, which has been placed on the OFAC blacklist. The U.S. company reportedly engaged a New Zealand firm to negotiate and pay the ransom. However, based on the recent OFAC Advisory, it does not appear as if the use of a foreign third-party intermediary is sufficient to mitigate the risk of OFAC sanctions and potential liability exposure under U.S. laws. According to the Advisory, “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know that it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”8
Enforcement and Penalties
OFAC has issued Economic Sanctions Enforcement Guidelines (Guidelines)9 that provide guidance on the nature and amount of penalties that can be assessed against an organization for violating U.S. economic sanctions laws, including IEEPA and TWEA. The Guidelines set forth a sliding scale of possible civil penalties based on the value of the underlying transaction (or ransom payment) – ranging from $1,000 to $307,922. In contrast, criminal penalties can include fines ranging from $50,000 to $10 million and imprisonment ranging from 10 to 30 years for willful violations. OFAC may consider a number of factors in evaluating whether a punishable violation has occurred, including willful or reckless violations, intentional concealment, a pattern or practice of ongoing conduct (versus an isolated incident), prior notice of violations, or the extent to which an organization’s management was aware of or should have been aware of the conduct.
Other factors that may be considered include cooperation with OFAC in providing relevant information, voluntary self-disclosure of the violation to OFAC, or a timely and complete report of the underlying ransomware attack to the FBI and other law enforcement. As stated in the Advisory, “OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement” action.10
In addition, “OFAC encourages financial institutions and other companies to implement a risk-based compliance program (Framework) to mitigate exposure to sanctions-related violations.”11 According to OFAC, this Framework “applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payment (including depository institutions and money services businesses).”12
The Framework should include five key components:
Management’s commitment to implementing a sanctions compliance program
A documented risk assessment designed to identify potential OFAC issues
Internal controls and documented policies and procedures pertaining to OFAC compliance (including reporting and escalation chains)
Comprehensive testing and auditing of an organization’s sanctions compliance program
We note that organizations that negotiate and facilitate ransom payments to cybercriminals typically generate a sanctions check report for cyber insurers and insureds that may include the following information: amount of the ransom payment, the Bitcoin wallet address and factors analyzed in an attempt to identify the ransom recipient (such as known or unique identifiers related to the threat actor or malware, and Blockchain analysis of the Bitcoin wallet address where the funds are being sent). A typical sanctions report also may attest that, based on the available information, it does not appear as if the ransom payment is being sent to an individual or organization identified on an OFAC sanctions list. In addition, the organization facilitating the ransom payment also may submit an “anonymous” report to the FBI. At a minimum, this type of sanctions check report provides documentation of reasonable due diligence that was undertaken to verify that the intended recipient of the ransom payment is not a known terrorist or criminal.
In summary, the unprecedented rise of ransomware attacks and ransom payments to cybercriminals has not escaped the attention of the U.S. government. While the recent OFAC Advisory is intended to discourage organizations from paying ransoms, the reality is that organizations may have little choice as they already are fighting to stay afloat during the global pandemic and economic fallout of this crisis. Nonetheless, the government has made it clear that not only the victims of cyber-attacks but also individuals and entities that assist in facilitating payments to bad actors may be at risk of violating sanctions laws. To mitigate this risk, organizations are encouraged to be more transparent in their dealings with cybercriminals, including reporting ransomware attacks and extortion demands to OFAC and the FBI. Undoubtedly, well-known ransomware negotiators will not risk their reputations by issuing sanctions check reports without reasonable due diligence. Moreover, all organizations involved the ransom payment facilitation chain should implement an OFAC Compliance Framework.
However, the Framework may allow cyber actors to engage in future attacks and it does not even guarantee that the victim will regain access to their stolen data. The authority is the IEEPA or the TWEA. Under these authorities, U.S. persons are not allowed to engage in transactions with individuals or entities on OFAC’s SDN List. OFAC can impose civil penalties based on strict liability.
OFAC advises companies to create a sanctions compliance program that accounts for the risk that a ransomware payment may involve a SDN or blocked person. OFAC will consider a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining the enforcement outcome if the situation is determined to have a sanctions nexus. One issue is that victim organizations are required to check the list of sanctioned entities; however, many times the true identity of the cybercriminals are not known.14
1 See U.S. Department of the Treasury, 2020, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” issued October 1, 2020.
2 50 U.S. C. §§ 4301-41; 50 U.S.C. §§ 1701-06.
3 31 C.F.R. part 501, Appendix A.
4 See U.S. Department of the Treasury, 2020, ibid.
9 31 C.F.R. Appendix A to Part 501.
10 See U.S. Department of the Treasury, 2020, ibid.
11 See U.S. Department of the Treasury 2019, “A Framework for OFAC Compliance Commitments.”
12 See U.S. Department of the Treasury, 2020, ibid.
13 See U.S. Department of the Treasury 2019 ibid.
14 See “Treasury Department warns against paying hackers involved in ransomware attacks,” The Hill, October 1, 2020, at https://thehill.com/policy/cybersecurity/519231-treasury-department-warns-against-paying-hackers-involved-in-ransomware.