Security pros face sanctions if they help ransomware victims pay
New advisory from the US government warns cyber insurance and incident response specialists that they could be skating on thin ice if they help ransomware victims pay their attackers off
The US government has issued new ransomware guidance, as well as an advisory alerting security companies who assist victims of ransomware attacks by facilitating payments to designated cyber criminals attackers that they face potential sanctions risks under American law.
The advisory – which can be read in full here – was issued by the Department of the Treasury’s Office of Foreign Assets Control (OFAC), contains a stark warning that financial institutions, cyber security insurance firms and companies involved in digital forensics and incident response risk violating OFAC regulations if they are found to have assisted in making a payment.
“This advisory highlights OFAC’s designations of malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions programme,” said the Treasury in a statement.
“It identifies US government resources for reporting ransomware attacks and provides information on the factors OFAC generally considers when determining an appropriate enforcement response to an apparent violation, such as the existence, nature, and adequacy of a sanctions compliance programme.
“The advisory also encourages financial institutions and other companies that engage with victims of ransomware attacks to report such attacks to and fully cooperate with law enforcement, as these will be considered significant mitigating factors.”
The alert applies to those who assist in making payments to ransomware operators who have previously been designated under OFAC’s cyber-related sanctions programme – although clearly to make a payment to an undesignated operator is also highly inadvisable.
OFAC-designated actors include Evgeniy Bogachev, the developer of Cryptolocker and other threats; the Iranian developers of SamSam; North Korea’s Lazarus advanced persistent threat (APT) group, which launched the devastating WannaCry attacks; and Russia’s Evil Corp, which was behind Dridex and WastedLocker, the leader of which was indicted in 2019.
Read more about ransomware
- Backup and recovery are vital components to protect against data loss, whether technical or causes such as ransomware. So how can a backup audit help protect our key assets?
- Software firm Blackbaud paid off a ransomware gang, believed its hackers when they said they had destroyed the data, and has now discovered the cyber criminals accessed even more sensitive information than it thought.
- Private healthcare provider UHS has been been hit by a major big game hunting cyber attack that infected its systems with the Ryuk ransomware.
Besides violating OFAC regulations, the advisory noted that facilitating a ransomware payment enabled cyber criminals to “profit and advance their illicit aims” and could potentially fund activities “adverse” to the US’ national security and foreign policy objectives, as well as emboldening them to attack other targets.
Edgard Capdevielle, CEO of Nozomi Networks, said ransomware attacks were increasing in volume and sophistication, and that to give in to them only fuelled the fire.
“We are seeing more instances where the public and private sector respond to the pressure and pay the ransom. In addition to this week’s OFAC advisory, Senators Warren and Wyden have both introduced separate bills that would hold corporate executives accountable if they fail to take cyber security seriously,” he said.
“Ransomware attacks and other cyber threats will continue to remain constant as our personal lives and business operations continue to digitalise. That’s why choosing to pay a ransom is too often a short-sighted response that could come at a high cost. Research has shown that paying a ransom can double the cost of recovery.
“Building, maintaining and constantly improving an organisation’s cyber security program is always the best approach and there are certainly tools available today that provide cost effective solutions.”
Cybereason’s chief security officer, Sam Curry, said: “Until now, the risk decision in paying a ransom was on the victim and their insurers, which left them in control of potential life and death decisions depending upon what products and services are threatened with a ransom.
“Now the government has given clear guidelines and those risk decisions now include factoring in fines and potentially criminal charges to the insurers that agree to pay ransoms on behalf of their customers.
“Let’s hope the government thinks carefully about the sanctioned cyber criminals or groups included on its list and provides a rapid means of petition for life and/or death. The last thing we want is to bayonet the wounded. If someone is already a victim, we should be careful not to add insult to injury,” he said.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) – the US equivalent of Britain’s National Cyber Security Centre (NCSC) has just published a revised ransomware guide designed to help IT and security pros prepare for and defend against the worst case scenario.
“It is a CISA priority to help our partners defend against ransomware, advise them on appropriate risk-management actions and provide best practices for a resilient, responsible incident response plan in the event of an cyberattack,” said Bryan Ware, CISA assistant director for cyber security.
“The collaborative and consistent engagement with our industry and government partners support our concerted efforts to offer trusted, proactive and timely resources and services. This guide is based on operational insight from CISA and MS-ISAC and our engagements with varied sector partners.”
The CISA’s guide can be downloaded here, while recently-revised, UK-specific guidance from the NCSC can be found here.