Treasury Dept. Warns Against Facilitating Ransom PaymentsBanks, Cyber Insurers, Others Warned Against Playing a Role
A U.S. Treasury Department advisory issued Thursday offers a reminder that financial institutions, cyber insurance firms and others that facilitate a ransom payment after a ransomware attack could face federal penalties. But the warning isn't necessarily a sign of a looming enforcement effort, some cybersecurity experts say.
"I think this is much ado about nothing," says Roger Grimes, data-driven defense evangelist at the security firm KnowBe4. "The United States has long had the laws in place that apply to paying money, ransom or any financial interest or business dealing to people on the Treasury's anti-corruption list. Ransomware is no different."
Charles Carmakal, senior vice president and CTO with FireEye Mandiant, calls ransomware "the most significant and prevalent cybersecurity threat facing corporations today." But he says it's already well known that paying or facilitating a ransom to a threat actor can be a violation of the Treasury Department's Office of Foreign Assets Control regulations that could result in penalties.
Few Details Offered
The Treasury advisory notes that banks, insurers and others that negotiate or facilitate any actions involving a ransomware payment could risk violating OFAC regulations, leading to an "enforcement response."
The agency did not offer details on penalty levels, saying each case would be addressed separately.
"Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries ... to profit and advance their illicit aims. Ransomware payments may also embolden cyber actors to engage in future attacks," the advisory states.
The advisory warns that any entity that facilitates a ransomware payment to a sanctioned organization opens itself up to federal penalties.
The Treasury Department included a list of some threat actors that have been sanctioned. These include Cryptolocker developer Evgeniy Mikhailovich Bogachev, two Iranian nationals behind the SamSam ransomware, The Lazarus Group and two subgroups - Bluenoroff and Andariel - that launched WannaCry 2.0, and Evil Corp and its leader, Maksim Yakubets, that developed and distributed Dridex malware.
"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory says.
The Intended Impact
The advisory amounts to a "shot across the bow" warning of potential repercussions and not necessarily an indicator of increased enforcement, several cybersecurity experts observe.
"This advisory isn't a change in the law, but more a reminder of how the current law applies to ransomware incidents," says Tim Erlin, vice president of product management and strategy at Tripwire. "The Treasury Department is reminding the industry of the potentially big stick they've always had in their back pocket."
Ironically, several government agencies, police departments and state-funded educational institutions that have been victimized by ransomware have paid a ransom to regain control of their system, Erlin points out.
For example, the University of Utah recently paid a $457,000 ransom, Florence, Alabama shelled out $300,000 after a ransomware attack and the University of California San Francisco paid a $1.14 million ransom.
"These extortion demands are in the six-figure range for smaller companies and seven to eight figures for larger companies," Carmakal of FireEye Mandiant says. We are aware of several victim organizations that paid extortion demands between $10 million and $30 million."
KnowBe4's Grimes says he's not aware of any organization that's been prosecuted for paying a ransom or facilitating a ransom payment. "The U.S. government would have to prove that the victim knew who the ransom was paid to ... and that is unprovable in cases of ransomware," he says.