OFAC's new ransomware advisory

Introduction

On 1 October 2020 the US Department of Treasury's Office of Foreign Assets Control (OFAC) issued an advisory highlighting sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyberattacks.

Relatedly, the US Department of Treasury's Financial Crimes Enforcement Network (FinCEN) issued guidance alerting financial institutions to their role in processing ransomware and associated payments, red flags and reporting information.

Why OFAC's ransomware advisory matters

Included on OFAC's Specially Designated Nationals and Blocked Persons (SDN) List are a number of 'malicious cyber actors' designated pursuant to OFAC's cyber-related or North Korea sanctions. Under these programmes, making an SDN-related ransom payment, directly or indirectly facilitating such a payment or even making related insurance or reinsurance claims payments is likely a prohibited dealing in property (including services) in which the SDN has an interest if conducted by a US person or otherwise subject to US jurisdiction. Civil penalties per violation can be up to $307,922 or twice the value of the payment at issue (whichever is higher); criminal penalties for knowing of violations can be up to $1 million and 20 years' imprisonment.

Accordingly, US individuals and entities – including ransomware victims, financial institutions, incident response companies and insurers that process ransomware-related payments – wherever located, should avoid engaging in transactions involving SDNs in the ransomware context. Transactions could include directly or indirectly receiving customer funds, exchanging them for convertible virtual currency, transferring them to the attacker's accounts or making the ransom victim whole through an insurance payment relating to a ransom payment.

In addition, any foreign individual or entity that sends a ransomware-related payment involving an SDN through the United States can also be subject to civil and criminal penalties.

OFAC names specific ransomware and malware, but does not clearly make them off limits

In its advisory, OFAC identifies the following relevant ransomware and malware and their SDN connections:

Cryptolocker ransomware, developed by Cyber SDN Evgeniy Mikhailovich Bogachev;
SamSam ransomware, linked to Cyber SDNs Ali Khorashadizadeh and Mohammad Ghorbaniyan and two digital currency addresses;
WannaCry 2.0 ransomware, linked to North Korea SDNs Lazarus Group, Bluenoroff and Andariel; and
Dridex malware developed and distributed by Cyber SDNs Evil Corp and its leader, Maksim Yakubets.

Although OFAC provides this list of ransomware-related SDNs, the advisory raises more questions than it answers with respect to the specific ransomware and malware that it identifies. Left unanswered is whether all cyber ransom attacks using the various ransomware and malware identified are to be assumed to involve the associated SDN, especially when there is evidence that other entities can use the same ransomware and malware. The advisory itself, in noting that the Dridex malware was not just developed but was distributed by the SDN Evil Corp, makes clear that not all ransomware attacks using these malware are attacks in which the SDN has an interest.

OFAC knows how to make legal links to SDNs, but has not done so here

A tried and true way to legally link ransomware like WannaCry 2.0 to an SDN like Lazarus Group is for OFAC to amend the SDN List to add the new name to the SDN's identifying information. Lazarus Group, for example, already has 11 listed 'weak aliases', including Guardians of Peace and The New Romantic Cyber Army Team, against which millions of transactions every day worldwide are screened by countless financial institutions and other businesses. OFAC could add WannaCry 2.0 to that list to make it clear that any transactions using WannaCry 2.0 should be assumed to include an interest of Lazarus Group.

Although the SDN List includes the SDNs named above, OFAC has not seen fit to add any of the listed ransomware or malware that it has associated with these parties to the SDN List, even as weak aliases for the relevant SDNs. The one possible exception is that Dridex Gang is listed as an alias for SDN Evil Corp, but the word 'Gang' in Dridex Gang suggests that it is a separate entity and not the malware. Thus, the presence of the related ransomware or malware – whether Cryptolocker, SamSam, WannaCry 2.0 or Dridex – does not mean that an SDN necessarily has any interest in the related transactions.

What should cyber-ransomed companies (or their incident response providers or insurers) do?

Often the only thing that a ransomware target or its incident response providers or insurers will know about its attacker are:

the ransomware or malware used;
an untraceable email address for communicating with the attacker; and
a digital currency address to which the ransom is to be paid.

All of this information should always be run against the SDN List. OFAC occasionally provides identifying email addresses and digital currency addresses on the SDN List and may add specific ransomware and malware in the future. A positive hit should stop payment of any ransom before an interest of the relevant SDN can clearly be ruled out.

If there are no SDN List hits and the only link to a possible sanctions nexus is the use of one of the four ransomwares or malwares listed in OFAC's advisory, there is little guidance in the advisory regarding how to proceed. However, the advisory does provide guidance on how to ensure that the possibility and severity of a subsequent OFAC enforcement action, were one to be considered by OFAC, would be significantly mitigated.

OFAC will consider a company's "self-initiated, timely, and complete report of a ransomware attack to law enforcement" to be a significant mitigating factor if an OFAC enforcement investigation is initiated and an SDN interest is subsequently determined to have been present. OFAC will also consider a company's "full and timely cooperation with law enforcement both during and after a ransomware attack" as a significant mitigating factor. OFAC's instruction is loud and clear:

reach out to law enforcement immediately (preferably before providing payment);
continue to cooperate with law enforcement; and
consider sending a follow-up report of the ransomware attack to law enforcement.

Who you gonna call?

With respect to contacting, cooperating with and follow-up reporting to law enforcement, the advisory provides seven points of contact. It would be wonderful if the suggested outreach to the listed US government offices would result in a swift, coordinated and helpful response assisting a ransomware victim in determining whether it is dealing with a sanctioned entity. Unfortunately, these qualities are not always the hallmarks of government offices labouring under bureaucratic and resource limitations. Asking a victim of ransomware – while its servers are frozen, its communication system is hobbled and its customers are demanding answers – to consider seeking guidance from up to seven different government offices seems a bit much.

It is not OFAC's fault that there is an overabundance of enforcement offices jumping at the chance to help ransomware victims. However, both the government and the ransomware victims would probably be better served if there was one point office that could coordinate for the government and advise the victim with one voice.

For the record, below are all seven contacts that the advisory suggests:

OFAC's:
- Sanctions Compliance and Evaluation Division ([email protected]; (202) 622-2490/(800) 540-6322); and
- Licensing Division ((202) 622-2480);
the US Department of the Treasury's Office of Cybersecurity and Critical Infrastructure Protection ([email protected]; (202) 622-3000);
FinCEN's Regulatory Support Section ([email protected]);
the Federal Bureau of Investigation Cyber Task Force;
the US Secret Service Cyber Fraud Task Force;
the Cybersecurity and Infrastructure Security Agency; and
the Homeland Security Investigations Field Office.

Comment

OFAC's advisory generally condemns ransomware payments, warning that such payments will embolden actors to engage in future cyberattacks, but stops short of stating that OFAC considers all ransom payments associated with the ransomware and malware that it identifies (ie, Cryptolocker, SamSam, WannaCry 2.0 or Dridex) to be prohibited payments in which an SDN has an interest. The advisory unfortunately does not offer guidance on how to connect the dots between a particular ransomware attack and whether a sanctioned party is behind it. However, it does make clear that early and cooperative contact with law enforcement, most preferably before a ransom is paid, is essential to lowering a company's risk. As such, companies that may be comfortable subsequently filing a report on the ransomware attack with an enforcement office should give that option serious consideration.

Register now for your free, tailored, daily legal newsfeed service.

OFAC's new ransomware advisory

Filed under

Topics

Organisations

Popular articles from this firm

Kelsey Grammer, producers of BET’s “The Game” flagged for alleged copyright infringement *

Who’s laughing now?: “Party Rock Anthem” artist LMFAO loses parody defense in copyright row with rapper Rick Ross *

Point-of-Sale Temporary Insurance (a.k.a. "Binders") *

Pentagon identifies 20 'Communist Chinese military companies' *

ITAR dual national and third-country national rule provides new flexibility for foreign companies *

Related practical resources PRO

Related research hubs