In October 2020, The United States Department of Treasury’s Office of Foreign Assets Control (OFAC) released an advisory to all companies facilitating payments for victims of ransomware attacks, including cyber insurance firms, financial institutions, and forensics and incident response firms. The advisory warns that making payments to any sanctioned entity listed on the Treasury Department’s Specially Designated Nationals and Blocked Persons (SDN) List, embargoed countries, or anyone else deemed in violation may result in civil penalties. OFAC includes enforcement guidelines and encourages companies to incorporate this added concern into risk-based compliance programs.
While the advisory marks a major step in regulating ransomware payment amid the growing ransomware crisis, it leaves many open questions to which the answers are still evolving
The Sanctions Risk
OFAC designates malicious cyber actors under its cyber-related sanctions program and others, with examples including:
- The developers of Cryptolocker
- Groups, associated with North Korea WannaCry attacks
- Evil Corp, and its leader for developing Dridex
Due to the fact that ransomware payments to such persons or groups could be used to fund attacks or activities that endanger national security or counter foreign policy objectives, they are deemed not only a security risk but an immoral encouragement for continued future attacks.
The International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) prohibits U.S. persons from engaging in transactions from individuals or entities on OFAC’s SDN List; other blocked persons; and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
OFAC suggests that it will enforce violations in determination with the nature and degree of the violation, and encourages financial institutions and other organizations that interface with ransomware attack victims to develop compliance programs to avoid exposure to these risks. Companies that facilitate ransomware payments may also have regulatory obligations under the Financial Crimes Enforcement Network (FinCEN) regulations.
All ransomware attack victims should contact OFAC immediately at the number below if the request for ransom payment involves a sanctions nexus.
∙ U.S. Department of the Treasury’s Office of Foreign Assets Control
- Sanctions Compliance and Evaluation Division: (202) 622-2490 / (800) 540-6322
Complying with OFAC
When a business’ data and operations are being held hostage, some businesses (experts tell us approximately 25 percent) may be forced to pay the ransom if they have no recourse (i.e., their backup system and data was also compromised) and any extortion payment can be made in compliance with regulations and without provoking U.S. civil enforcement penalty. To that end, ransomware payment facilitators normally will conscientiously check against the SDN List before making payments to threat actors. The goal is to act in good faith, provide notice to the authorities about the incident, and reasonably prove that the threat actor is not on the SDN List—a challenging task, to be sure, but one that can be achieved with due diligence.
In order to stay in compliance with OFAC, a cybersec forensics firm, Breach Coach® counsel or incident response provider can help assess ransomware variant attribution and the attacking threat actor’s identity, typically through a number of steps that include analyzing campaign tactics, techniques, and procedures that would be associated with a sanctioned group. The malware and attack pattern can be examined through reverse engineering to see if the code can be tied to any known threat groups or entities. Bitcoin wallets can also be checked with a blockchain analysis.
“We will also call the FBI and cross-check our information with theirs to make sure we haven’t missed something,” says Jim Jaeger, president and chief cyber strategist of Arete Advisors.
It’s also important to notify law enforcement and report the ransomware attack in a timely fashion. In addition to reporting the incident to OFAC if there are any suspected sanctions concerns and consulting with the agency can help mitigate potential future enforcement action.
“OFAC has been very clear that they recommend full participation and notification of law enforcement as early as possible,” says Patrick McNally, a litigator at Beckage. “That is one of the most important mitigating factors if there might be any question about the ransom payment later on down the line.”
Concerns and Considerations
Given that the advisory is relatively recent, and this area is emerging, experts say compliance should be approached with a degree of caution, keeping in mind the following:
It’s difficult to make determinations about threat actors’ identities.
“Everybody would love to see even more specificity about the steps that can be taken to further identify that a particular ransomware payment will not create any nexus with a sanctioned individual, given the fact that we’re all dealing with imperfect information about who these bad actors are,” says McNally.
The lack of a shared process for due diligence between and among payment facilitators has created a patchwork approach to compliance.
“We’ve been vocal advocates for additional clarification on appropriate due diligence, from Treasury’s perspective, that must be undertaken to determine if the threat actors or the wallet that you are making a payment to is attributed to a sanctioned entity or someone with the sanction nexus,” says Jennifer Coughlin of Mullen Coughlin.
Shadowy by nature, attackers will never make the identification process a simple one. It takes a nuanced approach by an experienced investigator to uncover the truth. Don’t leave this operation to a newcomer.
Another concern are ‘false flag’ operations. One cyber gang could emulate another to throw off a forensic investigation or confuse the victim about the motive at hand.
Ransomware-as-a-service is an area of concern.
Cryptocurrency payment facilitators are troubled by the idea that some ransomware types used by sanctioned groups might also now be in use by ransomware-as-a-service operators (i.e., individual threat actors), presenting a “gray area” for regulators.
“There are a few entities that are on the sanctions list, and straightforward to identify, like Evil Corp, who use certain tools very heavily,” Jaeger says. “And so some people will say if you ever see these tools, you can’t pay the ransom. But there are other organizations using the same tools now so it can get muddy to pick them out.”
The list itself will evolve over time, which may complicate matters.
One concern some have is that the list itself is a moving target, which may present a gray area for payment facilitators who are operating in good faith but don’t necessarily have all of the pertinent information at the time of the transaction.
“There can be organizations that are not explicitly on the sanctions list when you make the ransom payment. Theoretically, the Treasury Department could come back to you well after the fact,” Jaeger says.
Good assessment requires good evidence.
For any payment facilitator to make a determination, the ransomware victim should provide original sample files and notes.
“I’m always going to work from evidence, and I’m not going to put the country or the company at risk, so it has to be a very conservative estimation,” says Keith Swanson, regional director of incident response at Kivu Consulting. “That requires original documentation wherever possible. It takes a constant updating of our knowledge base to keep up with the threat actors.”
Monero is off-limits.
When it comes to cryptocurrencies, Monero is inherently problematic in that it can’t (theoretically) be traced, which means that any ransomware transaction with Monero can never be fully proven to be compliant. For that reason, payment facilitators are simply not using it.
“We really can’t get a decent investigation into it and so you can’t get a good subject with a bitcoin wallet,” Swanson says. “While there are multiple layers to the research we do; if we can’t connect the bitcoin, we can’t pay the ransom.”
The OFAC guidance might have leveled the playing field.
While concerns about OFAC violations have spurred some organizations to leave the ransomware payment business altogether, reducing competition and making it more challenging for those who need to make payments at the eleventh hour to find contractors, some experts believe that the focus on compliance has made it a safer environment for everyone.
“It now seems like we are moving towards a much more stable compliance environment where we all know the rules, and that allows all companies, whether they are cybersecurity or forensic or digital payments specialists, to do this the right way,” says Seth Sattler, BSA officer of DigitalMint.
More cross-industry information sharing—to a point—is needed.
At the moment, most payment facilitators are working in competitive isolation. In order to develop better practices and a stronger understanding of threat actors’ identifying traits, industry professionals would be better served sharing their acquired knowledge and improving compliance in the name of national security.
“We need to start thinking of this as a joint endeavor for the greater good,” Swanson says.
However, victim organizations may seek to not share all information it learns during investigations into ransomware events impacting their business.
“As part of our investigation and response to ransomware events, regardless of whether our client – the victim organization – decides to pay the ransom, we engage a forensic investigation firm to conduct a privileged investigation into the incident,” Coughlin says. “We understand mandatory ransomware reporting schemes are being contemplated and appreciate that information sharing is a key component in our ongoing fight against cybercrime. However, any such reporting requirements should still afford the victim organization the opportunity to withhold production of privileged information without penalty, or such reporting requirements should explicitly protect the confidentiality of the information and provide that the production of privileged information is not a waiver of the privilege and any other protections that may apply to the information.”
Keep an eye on this space.
Experts expect not only the regulation itself to evolve over time but for a consensus to emerge among payment facilitators for processes, procedures, and policies.
“I still feel like we’re in the first inning of this in terms of collaboration among different payers and money service businesses that are involved,” says Marc Grens, co-founder and president of DigitalMint. “We need a collective set of rules, but it’s still a very new space and more work needs to be done.”
“We need–and welcome—more information from regulators,” Coughlin says. “Nobody wants to get this wrong. But we need more information to get it right—particularly what the expectation is of each stakeholder in the ransomware incident response process for sharing information, and conducting due diligence. Organizations will feel much better about the risk of a strict liability claim down the road if they were told prior to taking any action what they can do to avoid it.”
In the meantime…
The ransomware threat continues unabated, and whether the ransom goes paid or unpaid, cyber insureds must protect their data and business operations at all costs.
“Understand that this could happen to you at any time,” Swanson says. “It’s no longer about ripping off a major company for millions of dollars but hitting a million people for a month, so it doesn’t matter how big your business is. Constantly be vigilant and upgrade your security. Make a disaster recovery plan and practice it. You have to go beyond antivirus software now because threat actors are using polymorphic malware, which changes every time it’s downloaded.”
The emphasis on ransoms is missing the larger point, which is that these attacks can and should still be prevented.