US Treasury: Paying Ransomware Gangs Could Violate Regulations

Written by

The United States Treasury has warned companies that they could be fined for paying or facilitating ransom payments to cyber-criminal gangs. 

An advisory published yesterday by the Treasury’s Office of Foreign Assets Control (OFAC) stated: "Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."

OFAC said paying ransomware gangs who are operating under economic sanctions was a threat to US national security interests because it could fund the expansion of their criminal activities and could also encourage them to carry out further ransomware attacks.

The Office also noted that "paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data."

OFAC underlined the fact that Americans are prohibited under the International Emergency Economic Powers Act from engaging in transactions with individuals or entities on the office's Specially Designated Nationals and Blocked Persons List. US citizens are also restricted by embargoes placed on certain regions and countries that include Cuba, Iran, Syria, and North Korea.

The advisory stated that violating OFAC regulations could result in a financial penalty. 

"OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC."

OFAC urged financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. Ransomware victims and those involved with addressing ransomware attacks were asked to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. 

Commenting on the advisory, CynergisTek CEO Caleb Barlow said: “A ransomware payment is no longer a get out of free jail card. Enterprises have to invest in defenses.” 

Barlow added that the issuance of the advisory was "likely accelerated" by "Garmin knowingly paying an adversary on the sanction list" millions of dollars to recover data after a ransomware attack.

What’s hot on Infosecurity Magazine?