{"id":5623,"date":"2020-10-09T13:49:26","date_gmt":"2020-10-09T20:49:26","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5623"},"modified":"2024-08-07T12:23:11","modified_gmt":"2024-08-07T19:23:11","slug":"sanctions-risks-for-facilitating-ransomware-payments","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/sanctions-risks-for-facilitating-ransomware-payments\/","title":{"rendered":"Sanctions Risks for Facilitating Ransomware Payments"},"content":{"rendered":"

On October 1, 2020, the Department of the Treasury, Office of Foreign Assets Control (OFAC) issued an advisory to outline the sanctions risks associated with ransomware payments related to the malicious cyber-enabled activity1<\/sup><\/span>. OFAC has made it clear that \u201cCompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.\u201d\u00a0<\/span><\/p>\n

To be clear, facilitating payments for ransomware to sanctioned entities may result in civil fines and penalties. This OFAC advisory is limited to sanctions risks related to ransomware and was not intended to address issues related to information security practitioners\u2019 cyber threat intelligence-gathering activities. <\/span><\/p>\n

What Does Business Need to Know?<\/span><\/h3>\n

The U.S. Government keeps a list of economic sanctions which are administered by OFAC. OFAC has imposed sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for ransomware related activities. Ransomware payments made to sanctioned persons or sanctioned jurisdictions could be used to fund activities contrary to the United States\u2019 national security and foreign policy objectives. Ransomware payments may also encourage threat actors to engage in future attacks. In addition, paying a ransom to threat actors does not guarantee that the victim will regain access to stolen data.\u00a0<\/span><\/p>\n

U.S. citizens and residents are generally prohibited from engaging in transactions with individuals or entities on OFAC\u2019s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).\u00a0<\/span><\/p>\n

Civil Penalties for Sanctions Violations Based Upon Liability<\/span><\/h3>\n

OFAC may impose civil penalties for sanctions violations based on liability. This means that a person subject to U.S. jurisdiction may be held civilly liable even if they did not know or have reason to know it was engaging in a transaction with a prohibited person under sanctions laws and regulations administered by OFAC. Companies involved in facilitating ransomware payments on behalf of victims should also determine whether they have regulatory obligations. In failure to meet these obligations, these companies then take on the new risk of penalties for sanctions violations.\u00a0<\/span><\/p>\n

Civil penalties for sanctions violations will have a direct impact on the flow of ransom payments. By choking off illicitly gained ransom revenue streams, OFAC\u2019s civil penalties will make ransomware a far less attractive revenue source for threat actors.<\/span><\/p>\n

OFAC Has Identified Numerous Ransomware Threat Actors\u00a0<\/span><\/h3>\n

OFAC has identified numerous malicious cyber actors under its cyber-related sanctions program. This includes perpetrators of ransomware attacks and those who facilitate ransomware transactions. Some of these cited by the OFAC advisory and explicitly called out and sanctioned include Cryptolocker, SamSam, WannaCry, and Dridex and the threat actors behind all of these ransomware tools.\u00a0<\/span><\/p>\n

As an example, let us take a closer look at Dridex. Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft-related losses. In December 2019, OFAC designated Evil Corp and its leader, Maksim Yakubets, for the development and distribution of the Dridex malware.<\/span><\/p>\n

The best way to deal with ransomware is to minimize your risk of infection. The Infoblox Cyber Intelligence Unit (CIU) has covered Dridex extensively. Here you can see our threat research from the past year includes these three important reports:\u00a0<\/span><\/p>\n