Ransomware continues to reshape the cyber landscape. It victimizes businesses of all sizes and has captured the attention of government's worldwide. In fact, a recent ransomware report found that from the first half of 2020 to 2021 the average ransom demand made to Coalition policyholders increased nearly threefold, from $450,000 to $1.2 million per claim. To make matters worse, smaller companies - those with under 250 employees - experienced a 57% increase in attacks.
On September 21, 2021 the U.S. Treasury released an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory highlights potential sanctions risks associated with making ransom/extortion payments in response to a ransomware event. The new advisory supersedes the previous guidance released in October 2020 but it does not fundamentally alter the stance OFAC takes regarding ransomware payments.
The new update continues to reiterate that victims of ransomware attacks who opt to make payments are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions to ensure that money doesn't end up in the wrong hands. So in the unfortunate circumstance where companies fall victim to ransomware attacks what can they do? Here are some key take aways from the advisory.
OFAC advisory designation of malicious cyber actors.
Most ransom payments are made via a virtual currency and regulators have taken note. In response, the OFAC, with assistance from the FBI have designated a virtual currency exchange SUEX OTC, S.R.O. ("SUEX") as a malicious cyber actor. They have added this virtual currency exchange entity to the OFAC sanctions list. This means that SUEX exchange can no longer be used by victims of ransomware attacks to transmit payments.
The treasury department reports that over 40% of SUEX's known transactions are associated with illicit actors. Various enforcement actions have been brought against the digital currency service providers in the last year by the OFAC.
Ransomware Payments
The new advisory does not ban ransomware payments all together, however, it does reiterate that the OFAC strongly discourages ransomware payments. It continues to point out that ransomware payments enable criminals and adversaries to profit from their activities and encourages future attacks. Companies that are subject to OFAC regulations must recognize the sanctions risk in making or facilitating ransomware payments and the potential exposure for civil penalties.
The OFAC also highlighted its continued "strict liability" enforcement posture, stating that a company or person may be legally liable for ransomware payments made to a sanctioned person or embargoed country. The OFAC can even hold a person or entity liable despite having no way of knowing that a ransomware payment involved a specially designated national (SDN), blocked person, or embargoed country.
Recommendations:
While the U.S. government continues to take a strong stance discouraging ransomware/extortion payments, it does continue to encourage victims to ransomware to consider taking the following action:
If you believe a request for ransomware payment may involve an entity or person on OFAC's SDN list, contact OFAC immediately. Failure to do so may result in substantial fines and penalties
Cooperate with OFAC and law enforcement agencies, including CISA, Department of Treasury, and the FBI by filing an IC3 report or reaching out to a local office. Self initiating the report will be taken into consideration if it is later found that the payment was made in violation of the OFAC.
You may seek a license from the OFAC before making a payment, should you discover the person or entity you are going to pay is on the SDN list.
Companies are encouraged to implement a risk-based compliance program to help mitigate exposure to sanctions-related violations.
MapleTronics is here to help
If you have any questions about protecting your business from ransomware or any other cyber threats, MapleTronics is here to help. Contact us today for more information on creating a plan to implement cyber security services and standards to help protect your business.