Picture this: At some point in the next six months, you lose access to your files. Even worse, your company loses access to its files. And you are told that if you want access to them again, you will have to pay a sizable amount. In short, you are the victim of a ransomware attack, which encrypts files or systems that cannot be de-encrypted without your payment of the ransom. Do you pay the ransom? The U.S. Treasury Department weighed in on potential implications.
This picture is not farfetched. According to an October 2019 report, every 14 seconds a ransomware attack is successful and a company becomes a victim. It’s big business too: The report estimated the cost of ransomware in 2019 to be $11.5 billion, rising to $20 billion in 2021, approximately the 2019 GDP of Bosnia and Herzegovina. Another report estimates this year the cost could be as high as $170 billion—almost the GDP of Kansas.
As ransomware becomes ubiquitous and a constant risk—attackers can now acquire ransomware as a service—attackers are evolving into ever-more-sophisticated actors. Ransomware today comes with a professional look, with customer service and real-time chat support to help decrypt files after the ransom is paid. The professional look makes ransomware transactions resemble more paying a legitimate company for a license key than the criminal shakedowns and cybercrimes they are. Insurance companies are reported to pay ransoms on behalf of their insureds these days. A quick payment can be cheaper, faster and less disruptive than paying for forensic work to restore or recreate the impacted data. It’s safer too: If the ransomware is not completely eradicated before work to restore or recreate the data begins, restoring backups or recreating the data from backups can spread the ransomware further, into backups or new systems within a segmented corporate network.
Through all of this, something important is lost: Ransomware attackers, no matter the professional façade, are criminals. They can be subject to U.S. sanctions, and they can be sponsored by foreign regimes that are subject to U.S. sanctions—such as North Korea and Iran—or both. By demanding payment in hard currencies or even bitcoin, these attackers can gain access to dollars or other hard currencies that they and their sponsor regimes cannot access otherwise.
While paying ransoms was once unheard of, companies of all sizes and maturities now frequently contemplate this option as a cheaper alternative to restoring data and to losing operational capabilities for any period of time. And paying ransoms has become an entire subindustry in the cybersecurity market—a vendor to facilitate payment to a criminal. The focus of this article is not whether that is right or wrong, but rather to identify the potential Office of Foreign Assets Control (OFAC) implications of making or facilitating that payment.
The U.S. Treasury Department on October 1 issued a reminder about the difficulty of paying those ransoms without violating U.S. sanctions law, a five-page “advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory reminds victims, insurers and their financial institutions of the risks associated with paying those ransoms:
First, paying ransomware attackers can harm U.S. national security interests. Payments made to attackers sponsored by foreign regimes can fund those regimes’ activities, which can damage U.S. national security interests by funding future cyberattacks, economic espionage or other forms of nontraditional warfare.
Even payment made to an attacker who is not sponsored by a foreign regime can damage U.S. national security. One attacker paid here or one attacker paid there may not have much impact, but as the old joke goes, soon you have real money: tens to hundreds of billions of dollars each year. That amount is high enough to encourage a vicious circle and create additional attacks—especially for those companies known to have paid ransoms in the past. Ransomware attackers are unlikely to agree, after all, to a nondisclosure agreement. Even if they were, these are criminals. They cannot be trusted to abide by one, and if they do not, the (now repeat) victim can’t find them and take them to court.
As attacks continue, the more likely it is that they will impact critical infrastructure, and the more likely it is that they will encourage state actors to sponsor or launch attacks. During the pandemic, some ransomware attackers have forsworn attacks on critical installations, such as hospitals. Others have not.
Second, making payments to attackers can violate U.S. law. Generally speaking, absent a general or specific license from OFAC, U.S. persons and companies cannot enter into transactions with sanctioned persons, regimes or their representatives, or have a non-U.S. actor indirectly do it for them. These prohibitions extend not only to U.S. companies but also to any non-U.S. subsidiary or affiliate owned or controlled by a U.S. company. Because state-sponsored attackers rarely identify themselves as associated with a given state and are unlikely to provide positive identification to be run against a sanctions list—no W-9 form or trustworthy government-issued photo identification will be provided—a company paying an attacker cannot know with certainty whether paying a particular ransom is illegal.
Third, cyberinsurance providers, forensics firms and financial institutions are obligated to have appropriate risk-based sanctions compliance programs to avoid engaging in transactions with persons or entities subject to U.S. sanctions or even facilitating those transactions. This group likely includes cryptocurrency exchanges in the United States and abroad that facilitate bitcoin and other transactions. In May 2019, OFAC published a Framework for OFAC Compliance Commitments to assist U.S. companies in developing an effective sanctions compliance program. While the Framework does not specify what provisions in the compliance program are necessary or sufficient in this context, ransomware payments should be factored into the program’s risk assessment. OFAC also advises that for purposes of enforcement in the event of a sanctions violation, it will take into account as a significant mitigating factor a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement, and its cooperation with law enforcement both during and after a ransomware attack. Another significant mitigating factor that could cut in half any potential civil monetary penalty resulting from an apparent violation is voluntarily self-reporting sanctions-related violations to OFAC.
At root, this advisory serves as a reminder that if a business is the victim of ransomware, no matter how corporate or professional the attacker seems, the decision to pay the attacker for the decryption key cannot be made without additional analysis as to the attack and compliance with U.S. economic sanctions. Otherwise, the business could be funding unsavory regimes, undermining U.S. national security or even breaking U.S. law. Careful analysis of the situation and engagement with U.S. law enforcement, and potentially OFAC or other offices within the Treasury Department, are necessary first.