Paying Ransomware May Be Illegal
The U.S. Treasury Department is warning that individuals or businesses making ransomware payments may be violating anti-money laundering and sanctions regulations. The warnings came in two advisories, one from the Financial Crimes Enforcement Network (FinCEN) and the other from the Office of Foreign Assets Control (OFAC). FinCEN addressed companies that provide services to victims of ransomware attacks, including digital forensics and incident response companies and cyber insurance companies that help make ransomware payments to hackers. According to the advisory, depending on the facts and circumstances, this could constitute money laundering.
Reportable activity can involve transactions, including payments made by financial institutions, related to criminal activity like extortion. SAR obligations apply to both attempted and successful transactions, including both attempted and successful initiated extortion transactions,” the advisory says. OFAC issued an advisory highlighting the sanction risks associated with making ransomware payments. OFAC said it will impose sanctions on those who help or sponsor ransomware activities. OFAC has listed several hacking groups under sanctions programs. OFAC may impose civil penalties for sanctions violations based on strict liability so individuals or companies may be held liable even if it did not know if it was engaging in transferring money with a group that is prohibited under sanctions laws. OFAC encourages companies to implement a risk-based compliance program to decrease exposure to sanctions-related violations. This also applies to companies that provide cyber insurance, digital forensics, and financial services that may involve processing ransom payments.
The reasons for opposing paying ransomware include enabling criminals to profit and advance illegal activities. For example, they could be used to fund activities that affect national security. Ransomware payments may also embolden hackers to engage in future attacks. The FBI has long advocated not paying a ransom, because it does not guarantee you will regain access to your data. The FBI also recognizes that some victims will pay. In such cases, the FBI urges organizations to report ransomware incidents to law enforcement.
Chief technology officer with FireEye Mandiant, a global cyber and national security firm, called Treasury's advisory “well-intentioned,” but said it will add more “pressure and complexity to victim organizations” trying to recover after a security incident. Mandiant is aware of more than 100 organizations where hackers had network access in September. This is more than double what was known in September of last year. Hackers may ask for money for a decryption tool, and promise not to publish the stolen data, and a walkthrough of how they broke into the network. The extortion demands are in the 6-figure range for smaller companies and 7-8 figures for larger companies. Mandiant is aware of several organizations that paid ransomware demands between $10 million and $30 million.
The advisory urges victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. OFAC already provides a list of sanctioned entities. Victims are required to check the list prior to paying any ransom. However, the true identity of the cyber criminals extorting victims is usually not known, so it's difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions. Insurance executives also note that insureds, not insurers, make any decision whether to pay a ransomware demand. Although no one wants to support criminals, organizations are forced to weigh the option of paying ransoms against the risk of operational disruptions that could last weeks or months and cost far more.