On September 21, 2021, the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) published an updated advisory to advise those who pay ransom to unknown threat actors who have stolen or locked up their data about potential sanctions risks to the crime victim associated with making and facilitating ransomware payments. The new advisory supersedes one promulgated in October of last year, but the thrust remains the same: Pay ransom at your peril.
When a company is hit by ransomware, they have a few options. First, invent a time machine; go back in time and do all of the preventative things that you should have done to minimize the risk of being infected with ransomware, or to minimize the impact of that ransomware. Recognize that, even if you do all of this, you still can be infected with and impacted by ransomware. A second option is to withstand the attack, and either rebuild or restore data or systems. Third, you can attempt various forms of ransomware “inoculation” or “spoofing” or other methods of hacking the ransomware or recovering the encryption key. Sometimes these solutions are effective. Often not. It can take months and massive expenditures to recover from a ransomware attack.
That often leaves victims—and those who work with victims, including law firms, escrow agents, money transfer agents, cryptocurrency brokers, digital forensics and incident response companies, and cyber insurers—to consider paying the ransom (in whole or in part).
You see, there are a wide variety of sanctions that prohibit companies from engaging in financial transactions to certain countries, regimes, terrorist organizations, blocked persons, embargoed jurisdictions or what the law calls “Specially Designated Nationals” (SDNs). And OFAC has a handy-dandy searchable list of evildoers, bad guys and villains. In order to make any kind of payment (and paying ransom is a payment) to an SDN, you have to apply for and be granted a license from the Office of Foreign Asset Control.
On rare occasions, OFAC makes this easier—publishing the cryptocurrency wallet address of prohibited malicious cyberattackers. Thus, if your extortion demand includes that wallet address, you know that the payment is either prohibited or requires a license from OFAC. But in other cases where you don’t know who is responsible for the attack or where the ransom is going, you have no way of knowing whether or not you are violating the sanctions regime. And these sanctions are strict liability—it does not matter if you knowingly violate them or not. All that is needed to prove a civil or criminal violation is that you knowingly made a payment (or engaged in a transaction) and that it turned out the entity was prohibited (oh, and that you didn’t have a license).
So what does the Treasury Department recommend if you don’t want to be sanctioned by the Treasury Department?
First, that you not get infected by ransomware. Not literally, but that you are able to prove that you have taken steps to meaningfully reduce the risk of ransom or extortion by, for example, being compliant with cybersecurity regulations, or following the guidelines of the Cybersecurity and Infrastructure Security Agency (CISA). That means things like maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software and employing authentication protocols, among others, according to the Treasury Department’s guidance. So, if you failed to do this and get hit by ransomware, you have only yourself to blame, and therefore your payment of the ransom is unreasonable.
Second, if you do get infected, you should initiate a “complete report of a ransomware attack” to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), as soon as possible after the discovery of an attack. This must be done voluntarily, as soon as possible and on your own initiative. Oh, and OFAC will only consider it to be cooperation if the cooperation is “full and ongoing” both during and after a ransomware attack and includes providing law enforcement “all relevant information such as technical details, ransom payment demand and ransom payment instructions as soon as possible.” If you withhold details, assert attorney-client privilege or don’t want to open up your most sensitive information to OCCIP, you might not get credit for “full and ongoing” cooperation and might get prosecuted for paying the ransom.
But it’s not enough to just call CISA, OCCIP and other cybersecurity agencies. OFAC also wants victims to notify their local FBI field office, the FBI Internet Crime Complaint Center and/or their local U.S. Secret Service Office.
The Advisory makes it clear that the sanctions may be directed not only at the victims of ransomware but at those who assist them in making payments—like a cyber insurer who helps make the payment or a company that negotiates with the threat actor.
On the other hand, the advisory gives no guidance on how those affected by ransomware, who wish to pay to get their data back (or victims of extortion who wish to pay to keep their data secret) can actually comply with the OFAC regulations by applying for a license. OFAC has an online form you can use to apply for a license, which ironically enough actually indicates that the portal to apply was “non-operational from 10 p.m. EDT on May 11th through 7:30 p.m. EDT on May 13th” due to “technical issues.”
To get a license, the first thing you have to do is to “identify any specially designated national associated with the transaction”—well, how exactly does OFAC want you to do that? Ask the ransomware threat actor for the correct spelling of their name and their current location? Then you have to list which sanctions regime covers that SDN. Are they covered by the executive order on Belarus? Syrian sanctions? Burma? (What did you say Burma for?) Cyber executive order 13694 or EO 13757?
So the law requires a license, imposes strict liability if you don’t have one—but OFAC won’t give you a license unless you tell them the identity of the person and/or reasons for the sanction. Got it. Fun times.
The recommendation that you work with law enforcement on a ransomware attack is actually one that I agree with in almost every case. Law enforcement has a more global reach; the FBI maintains 60 foreign offices and 15 sub-offices around the world, called legal attachés or LEGATS. They liaise with Interpol, and might—keyword here is ‘might’—be able to assist in a ransomware attack. But even if they can’t, they can validate that you did the right things to try to identify whether the threat actor was a sanctioned person.
Whenever you are transferring funds—particularly cryptocurrency—to an unknown person under circumstances where criminal activity is possible (and even when it is not), you are required to do due diligence to learn whether the place or person is subject to sanctions. Threat intelligence associated with crypto transfer (researching the person, researching the IP addresses, DNS entries, methodology, wallet, etc.) is all part of that due diligence.
The new advisory makes it clear. If you don’t do this kind of diligence, you (not the threat actor) will likely be subject to sanctions. And that’s just piling on.