The United States’ Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory in October of 2020 that states that businesses that pay ransomware demands to hackers could be met with penalties and fines. The Treasury Department says paying cyber attackers enables criminals and violates foreign sanctions. The advisory specifically named Cuba, Ukraine, Iran, North Korea and Syria.
“Ransomware payments made to sanctioned persons or comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” The advisory adds that “Ransomware payments may also embolden cyber actors to engage in future attacks.”
Also, insurance companies that make ransomware payments or negotiate with hackers on behalf of victims now risk violating OFAC regulations. Insurance companies are already well aware of the risks associated with hackers and sometimes refuse clients who have been hit with certain ransomware strains. The advisory also extends a warning to include financial institutions and companies involved in digital forensics and incident response.
Can Not Paying a Ransom Cost You More?
We never advocate that victims give in to the demands of cyber criminals because paying a ransom to ransomware gangs does not guarantee that the victim will get its stolen data. Ransomware attackers once demanded $76,000 worth of bitcoin from the City of Baltimore, Maryland, after shutting down its municipal systems. The Baltimore Sun reported that the cost of all the associated delays, workarounds and IT hardening cost the city around $18.2 million.
What Prompted This New OFAC Advisory?
Website ZDNet is reporting that these new guidelines were issued “because of the aftermath of the ransomware attack on wearables maker Garmin. The attack was carried out with a ransomware strain named WastedLocker, believed to be the successor of the BitPaymer ransomware, and connected to the EvilCorp group. Garmin is said to have paid the ransom demand.” Sources also told ZDNet that the “Treasury was aware that by fully blocking ransom payments might lead to situations where some companies might not be able to recover their data and would be forced to shut down or suffer considerable losses.”
How Does the Government Recommend that Entities Protect Themselves?
The advisory suggests that cyber insurance companies, ransomware victims and other institutions work together on a risk-based compliance program to attempt to guard against future attacks proactively.
“This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services,” the advisory states.
The advisory also states that victims should “contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. Victims should also contact the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a U.S. financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.”
This announcement from OFAC reads like a warning to entities to better coordinate with law enforcement under penalty of sanctions. It is a clear message that the government wants to end the era of regularly and quickly paying ransoms to disincentivize the practice of hacking.
If you are still having trouble, consider contacting remote technical support options.