A US Treasury Department advisory was issued on 1 October 2020 and strongly warned that financial institutions, cyber insurance firms, and others that facilitate a ransom payment after a ransomware attack ‘could’ face federal penalties.[1] But the warning is not a sure sign of a looming enforcement effort, some cybersecurity experts say.
Charles Carmakal, senior vice president and CTO with FireEye Mandiant, calls ransomware "the most significant and prevalent cybersecurity threat facing corporations today." Yet Carmakal says it is already well known that paying or facilitating a ransom to a threat actor can be a violation of the Treasury Department's Office of Foreign Assets Control regulations and such payments may result in criminal[2] or civil[3] penalties."I think this is much ado about nothing," says Roger Grimes, data-driven defense evangelist at the security firm KnowBe4. "The United States has long had the laws in place that apply to pay money, ransom, or any financial interest or business dealing with people on the Treasury's anti-corruption list. Ransomware is no different."
The US Treasury advisory emphasizes that banks, insurers, and others that negotiate or facilitate any actions involving a ransomware payment could risk violating OFAC regulations, leading to an "enforcement response." The advisory did not offer details on penalty levels, saying each case would be addressed separately. "Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries ... to profit and advance their illicit aims. Ransomware payments may also embolden cyber actors to engage in future attacks," the US government advisory indicated.
The US Treasury included a list of some threat actors that have been sanctioned. The list includes Cryptolocker developer Evgeniy Mikhailovich Bogachev, two Iranian nationals behind the SamSam ransomware, The Lazarus Group, and two subgroups Bluenoroff and Andarie (both of whom launched WannaCry 2.0), and Evil Corp and its leader, Maksim Yakubets, that developed and distributed Dridex malware.
The advisory amounts to a "shot across the bow" warning of potential repercussions and not necessarily an indicator of increased enforcement, several cybersecurity experts observe. "This advisory isn't a change in the law, but more a reminder of how the current law applies to ransomware incidents," says Tim Erlin, vice president of product management and strategy at Tripwire. "The Treasury Department is reminding the industry of the potentially big stick they've always had in their back pocket."
Ironically, several government agencies, police departments, and state-funded educational institutions that have been victimized by ransomware have paid a ransom to regain control of their system. For example, the University of Utah recently paid a $457,000 ransom; Florence, Alabama shelled out $300,000 after a ransomware attack; and the University of California-San Francisco paid $1.14 million ransom. "These extortion demands are in the six-figure range for smaller companies and seven to eight figures for larger companies," Carmakal explained. “We are aware of several victim organizations that paid extortion demands between $10 million and $30 million."
KnowBe4's Grimes says he is not aware of any organization that is being federally prosecuted for paying a ransom or facilitating a ransom payment. "The US government would have to prove that the victim knew who the ransom was paid to ... and that is unprovable in cases of ransomware," he says.[4]
This places many companies in a position to make difficult decisions. Pay the ramson and get back to business, or fight the attack and face the ransom demand repercussions.
The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks such as ransomware. Red Sky Alliance offers tools and services to help stop these types of cyber-attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company-wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, without having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
Articles about the cyber threat groups mentioned in this report can be found at https://redskyalliance.org There is no charge for access to these reports.
Our services can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001
[2] 50 U.S.C. §§ 4301–41; 50 U.S.C. §§ 1701–06
[3] 31 C.F.R. part 501, appx. A
[4] https://www.securitymagazine.com/articles/93533-department-of-treasury-releases-advisory-on-potential-sanctions-risks-for-facilitating-ransomware-payments
Comments