Paying Ransomware Demands Could Lead to Federal Fines — for Victim and Insurer Alike

New U.S. Treasury guidelines outline the penalties of paying hackers to unlock data. But the risk of not paying may be greater still.
By: | October 11, 2020

Companies hit with ransomware cyber attacks are facing a new threat — retaliation from the federal government.

The Treasury Department’s Office of Foreign Assets Control (OFAC) issued a new advisory stating businesses that pay ransomware demands could be met with penalties. The Treasury Department says paying cyber attackers enables criminal activity and breaks sanctions with dangerous adversaries. The advisory specifically named Cuba, the Crimea region of Ukraine, Iran, North Korea and Syria.

“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the advisory reads. “Ransomware payments may also embolden cyber actors to engage in future attacks.”

As Ars Technica reports, regulations against ransom payers appear to be wide ranging: “Fines may be levied against any U.S. person who, regardless of location, engages in a transaction that causes a non-U.S. person to perform a prohibited action. The OFAC may also impose civil penalties based on ‘strict liability,’ a legal principle that holds the person or group liable even if they didn’t know or have reason to know they were engaging with someone who’s prohibited under the sanctions laws.”

Remind Me Again … What Is Ransomware?

It’s a cyber attack where hackers lock a victim’s data or computer systems with a complex password.

To regain access, the hackers issue instructions for paying a fee (typically in Bitcoin). Once that fee is received, the victim gets a decryption password and instructions on how to free their data.

You can take a deep dive into ransomware, learn how it works and how to remove it with this CSO article.

Insurance Companies Are at Risk of OFAC Violations

Companies facilitating ransomware payments or negotiating with cyber actors on behalf of victims risk violating OFAC regulations. That includes “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” the advisory states.

Related Reading: Why the Department of Defense’s Cyber Security Strategy Is Worth Emulating

But insurers and other third-parties often know the risks and refuse clients hit with certain ransomware strains, said Fabian Wosar, chief technology officer at computer security firm Emsisoft in an interview with Krebs On Security.

“In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he said. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”

Not Paying Hackers Can Be more Expensive — Just Ask Baltimore

Ransomware attackers demanded $76,000 worth of bitcoin from the City of Baltimore after shutting down its computer systems — including all baltimorecity.gov email addresses and credit card payment capabilities.

The Baltimore Sun reports that the cost of delays, workarounds and IT hardening will cost $18.2 million.

The New Advisory May Have Stemmed from an Attack on Garmin

ZDNet reports that the new guidelines were issued “because of the aftermath of the ransomware attack on wearables maker Garmin. The attack was carried out with a ransomware strain named WastedLocker, believed to be the successor of the BitPaymer ransomware, and connected to the EvilCorp group. Garmin is said to have paid the ransom demand.”

Sources tell ZDNet the “Treasury was aware that by fully blocking ransom payments might lead to situations where some companies might not be able to recover their data and would be forced to shut down or suffer considerable losses.”

 More Attacks, Fewer Companies Ready for Them

Ransomware incidents are up 25% compared to 2019, with attacks on the manufacturing sector rising 156%.

Typical targets like banks, credit unions and health care organizations also reported a spike in incidents.

Meanwhile, only 20% of companies feel confident in their ability to respond to a ransomware attack.

The Government’s Recommendations

The advisory said that cyber insurance companies, ransomware victims and other institutions need to work together on a risk-based compliance program to proactively guard against attacks.

“This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services,” the advisory states.

It also said that victims should “contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. Victims should also contact the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a U.S. financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.” &

Jared Shelly is a journalist based in Philadelphia. He can be reached at [email protected].