Ransomware is a malware variant that cybercriminals use to block their victims’ access to their computer systems or a specific set of data by encryption. Cyber criminals then demand a ransom payment usually in the form of virtual currencies in exchange for freeing up the attacked party’s access to their computers.
September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory emphasizing the sanctions risks associated with ransomware payments, the steps to be taken to lower the risks of exposure to cybercrime and the mitigating factors in enforcement action.
OFAC Advisory cites the FBI (Federal Bureau of Investigation) data revealing a 21% increase in reported attacks and a %225 increase in associated losses, from 2019 to 2020.
The number of ransomware attacks have peaked especially in the aftermath of the COVID-19 pandemic as reliance on online systems increased, while the nature of attacks also evolved. Cybercriminals nowadays can target both government and private entities via sophisticated means and they do not refrain from exploiting the vulnerabilities of critical infrastructure providers, such as hospitals. OFAC Advisory cites the FBI (Federal Bureau of Investigation) data revealing a 21% increase in reported attacks and a %225 increase in associated losses, from 2019 to 2020.
Making or facilitating payments encourage future crime, increase risks, and directly or indirectly benefit illicit actors while risking a breach of OFAC regulations on part of the attacked party.
As with the case of similar ransom demands made by, for example terrorist groups, making or facilitating payments encourage future crime, increase risks, and directly or indirectly benefit illicit actors while risking a breach of OFAC regulations on part of the attacked party.
The advisory describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant U.S. government agencies, if there is any reason to believe that the illegal cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
Cybercriminals from sanctioned jurisdictions behind ransomware attacks
Cyber actors of malicious intent are not rogue players who are out for an easy profit by targeting personal computers. Ransomware criminals place in their crosshairs entities or organisations they assume to be inadequately invested in cyber protection and at times, they can be sponsored by or linked to embargoed jurisdictions.
OFAC Advisory makes special mentions of ransomware associated designations of Evgeniy Mikhailovich Bogachev, the developer of the Cryptolocker; two Iranians who provided material backing to harmful cyber activity linked to the wide scale ransomware attacks that happened in late 2015 and lasted 34 months; the government sponsored North Korean cybercriminal organisation “Lazarus Group” and its two splinter groups Bluenoroff and Andariel who were behind the attacks that infected 300’000 systems in at least 150 countries, and the notorious Russia-based cybercriminals Evil Corp and its leader, Maksim Yakubets whose Dridex malware targeted banks and financial institutions in 40 countries and robbed $100M.
Malicious cyber actors usually demand ransoms in virtual currency as they cannot operate without the cloak of anonymity. Thus, the aid and involvement of certain VASPS are enlisted. In September 2021, OFAC designated the Russia-based VASP SUEX on the grounds that 40% of the transactions it processed was linked to cybercrime.
The legal implications do not differ in case of facilitation of payments. A non-U.S. person who causes a U.S. person to violate sanctions prohibitions by facilitating actions that cannot be directly undertaken by the latter because of the regulations, is also covered by the sanctions law.
Organisations offering services to help victims of ransomware schemes, are advised to consider the serious risk of engaging with an SDN or indirectly aiding the goals of an embargoed jurisdiction.
OFAC’s general advice of implementing a risk-based compliance program applies to the subject of ransomware payments as well. Organisations offering services to help victims of ransomware schemes, i.e. those who provide cyber insurance, financial services, emergency response, purveyors of depository or international money services, are all advised to consider the serious risk of engaging with an SDN or indirectly aiding the goals of an embargoed jurisdiction.
Mature defensive procedures against malware attacks include developing adequate action plans, institution of cybersecurity training, reinforcing antivirus and anti-malware software and the observance of solid authentication protocols. For guidance on the sound implementation of measures, OFAC advisory cites the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide as a reference.
Mitigating Factors: Cooperation and Reporting
Civil liability cannot be waivered, and penalties ranging from a No Action Letter or a Cautionary Letter to fully public responses in the form of pecuniary punishment await organisations, even if the attacked party in question did not have knowledge about the possible indirect or direct consequences of their actions.
As with other sanctions-related offenses, informing the U.S. Government Agencies, in this case the CISA, or the OCCIP (the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection) and relevant authorities, i.e. voluntary self-disclosure as soon as possible after an attack, is emphasized to be a mitigating factor in OFAC’s enforcement response.
The scope and the nature of the attacked party’s cooperation with relevant law enforcement agencies, both in the course and the aftermath of an attack as well as their willingness to divulge relevant information, such as technical details, the amount of ransom payment demanded, cybercriminals’ instructions, are also taken into account.
The advisory also makes clear that OFAC is more likely to resolve such violations as a result of malware attacks with a non-public response and reiterates that the attacked parties’ conveying necessary information is crucial in tracing cybercriminals and disrupting future attacks to the extent that it is helpful in providing much needed help to the victims of attacks. In coordinating with government agencies, attacked parties have the chance to recover access to their data via alternative decryption, or in certain cases, may even be able to partially recover their ransomware payments.
