Any person, business, or organization that pays a ransomware ransom, or that helps others negotiate and implement deals with ransomware attackers, could face criminal prosecution or significant fines if the parties who benefit from any resulting payments are under sanctions, the US Government warned late last week.
US law prohibits both individuals and organizations from either directly or indirectly engaging in any financial transactions with individuals or organizations that the Treasury Department’s Office of Foreign Assets Control (OFAC), has sanctioned, as well as with any party subject to the government’s “comprehensive country or region embargoes,” such as those prohibiting economic activity with anyone in Iran, Syria, North Korea, Cuba, and Russian-occupied regions of Ukraine.
Americans who violate OFAC sanctions face fines of up to $20 million, and, in some cases, may be subject to criminal charges. Furthermore, OFAC is authorized to enforce its sanctions under a doctrine of “strict liability” – meaning that the government can fine any party for violating its sanctions even if that party did not know, and had no reasonable way of knowing, that it was, in fact, violating sanctions.
Americans are subject to OFAC sanctions even when out of the country, and are also prohibited from engaging with foreign nationals in any effort to circumvent sanctions; the US government even considers its sanctions applicable to non-Americans if their actions help an American violate sanctions.
Among those sanctioned by OFAC are multiple parties involved in malware-based cybercrime, including infamous cybercriminals such as the Russian nationals behind both the Cryptolocker ransomware that attacked the data of about 125,000 Americans, and the Dridex malware attacks that stole about $100-million by capturing and abusing login credentials for bank systems. Likewise, Americans are prohibited from transacting with the two Iranians who allegedly facilitated cryptocurrency payments made by victims of the SamSam ransomware which hackers used to attack both private businesses and state and local governments, and the North Korean hackers who ran the WannaCry 2.0 attacks that infected over a quarter million computers around the world.
The FBI has long maintained an official policy of advising ransomware victims not to pay ransoms; privately and off the record, however, even senior-level FBI agents have sometimes told ransomware victims that paying ransoms without involving law enforcement may be the best available option.
Theoretically, OFAC’s recent announcement does not represent any change in policy or the implementation of any new laws – it has long been illegal to violate OFAC sanctions, and, in fact, some cybersecurity firms that help ransomware victims manage their responses to attacks already refuse to provide negotiation and ransomware payment services to anyone hit with strains of ransomware believed to be associated with sanctioned entities, countries, or regions. (It should be noted that ransomware victims who wish to pay a ransom to a sanctioned entity can request permission from the Treasury department to do so, and the Treasury Department sometimes grants such a license.)
That said, OFAC’s announcement may be a warning that it expects responses to ransomware attacks to be better coordinated with law enforcement, and that it will step up both enforcement of sanctions and inflicting penalties on those who do not act as the law requires; the government may be sending a message to ransomware victims, cybersecurity firms, and perhaps even to some law enforcement agents that the era of regularly and quickly paying ransomware ransoms as is over.