Another Business Risk From Ransomware? Beware OFAC Sanctions Before Paying the Cyber Criminals

A recent advisory from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) highlights a further risk to businesses from the ever-expanding ransomware menace. Aside from the regulatory burdens that can result from a data breach, the possible loss and leakage of sensitive IP, the loss of productivity and services due to being locked out of devices and the actual cost of paying the ransom itself, there now comes an additional risk factor to take into account: actually paying (or facilitating payment to) certain cyber criminals could result in violation of OFAC regulations and expose the payee to civil penalties, even if the payee was unaware that the payment was prohibited under OFAC’s sanctions laws and regulations. In this post, we dig into what this means for businesses facing ransomware threats.

What Are OFAC Sanctions Laws?

OFAC is responsible for administering and enforcing U.S. economic and trade sanctions programs against specific foreign governments, individuals, groups, and entities in accordance with the government’s national security and foreign policy goals and objectives. Within this remit, OFAC imposed its first sanctions against foreign individuals engaging in cyber criminal activity in December 2016. Evgeniy Bogachev, developer and distributors of Zeus banking malware and Cryptolocker ransomware, and Aleksey Belan were designated for their respective roles in the theft of over $100 million from U.S. financial institutions and government agencies and the theft and illegal sale of user data from around 200 million online accounts worldwide.

The designation means that

“any property or interests in property of the designated persons within U.S. jurisdiction must be blocked and U.S. persons are generally prohibited from engaging in transactions with them.”

A number of other individuals and organizations have been designated since then. Two Iranians involved in funneling proceeds from SamSam ransomware were sanctioned in late 2018, while the infamous North Korean-backed Lazarus Group were sanctioned in September 2019 for their role in the WannaCry ransomware episode two years earlier. A few months after the Lazarus designation, the Russian gang behind Dridex malware, Evil Corp, along with their leader Maksim Yakubets, were added to OFAC’s list of persona non grata. In October 2020, the Treasury sanctioned Russian entities and individuals from the GRU for, among other things, their part in NotPetya, and the TsNIIKhM, believed to be behind the Triton industrial malware.

This is by no means an exhaustive list of those under OFAC sanctions, but it highlights the fact OFAC has made a point of going after those that deal in ransomware, enterprise-targeted malware and other forms of financial cybercrime.

The Consequences of Paying a Ransomware Demand

OFAC’s explanatory advisory makes it clear that acceding to ransomware demands in any situation has consequences:

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

In particular, the advisory points out that threat actors who have been sanctioned have been so designated because they represent a threat to U.S. national security interests. Thus, ransomware payments made to such actors may directly or indirectly contribute to the funding of further cyber threats to national security. In addition, as the old saying goes, success breeds success, and paying actors for one attack only emboldens them to undertake further attacks.

It is also important to note that it is not just direct payments from a victim to a sanctioned entity that can cause the victim to be in breach of OFAC regulations. As the advisory notes, the sanction risks apply to any company that facilitates “ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response”.

What Happens If You Are Hit with Ransomware from a Sanctioned Actor?

As we noted above, OFAC’s advisory states that companies or individuals making or facilitating ransomware payments to sanctioned groups or individuals “may risk violating OFAC regulations.”

The “may” here reflects two different caveats. First, the risk of violating OFAC regulations is, of course, specific to dealing with threat actors that have been sanctioned. Second, however, is that OFAC does understand the complex dilemma faced by victims. For that reason, there are mitigating factors and OFAC may in some circumstances license payments to be made. Such license is granted on a case-by-case basis, with applications considered “on a presumption of a denial”.

What is the True Cost of a Ransomware Attack? | 6 Factors to Consider
The ransom demand may be the headline figure, but it's not the only, or the biggest, cost to bear.

As a prerequisite to any consideration, the applicant is expected to have self-reported the incident to law enforcement and to OFAC in a complete and timely manner.

Moreover, OFAC state that they consider “full and timely cooperation” with law enforcement agencies both during and after the attack as a significant mitigating factor when deciding on the possible outcome of any violation of the sanctions rules.

Another strongly mitigating factor concerns whether the victim had, at the time of an apparent violation, an effective sanctions compliance program (SCP) in place. The details of an effective SCP will vary depending on the organization’s profile, but the basic components of a risk-based approach to sanctions compliance will include:

  1. Management commitment
  2. Risk assessment
  3. Internal controls
  4. Testing and auditing
  5. Training

Further details on how to implement these components can be found here.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

Conclusion

The risks to organizations from ransomware keep on growing, as does the statistical chance of being hit by ransomware given the rise and easy-availability of RaaS offerings like Fonix, SMAUG, Thanos, Project Root and others that require little or no programming skills. On top of that, with state-backed actors teaming up with cyber criminals, and the continued prevalence of ransomware attacks from the sanctioned entities behind SamSam and Cryptolocker, it is evident that the only effective answer to ransomware lies in effective prevention.

The SentinelOne platform offers organizations a trusted solution that can help defeat the ransomware threat, prevent cyber threat actors from establishing a foothold in your network and which can be deployed to protect your endpoints across different OS platforms and cloud container workloads. If you would like to see how SentinelOne can help your organization to stay safe against cyber attacks, contact us today or request a free demo.