U.S. Department of Treasury’s OFAC Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments
On October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanctions risks for facilitating ransomware payments.
This advisory in essence removes a potential avenue for a victim organization of a ransomware attack in obtaining 1) the keys to decrypt its encrypted files and/or 2) the deletion of sensitive organizational data stolen and held hostage by the cyber threat actor.
Executives need to understand this potential short-term solution of making a ransomware payment facilitated by their financial institutions, cyber insurance firms, or companies involved in digital forensics and incident response, may result in sanctions against these facilitators by the U.S. Department of Treasury’s OFAC.
Since 2016, OFAC has designated numerous cyber threat actors under its cyber-related sanctions program and other sanctions program to include:
- Cryptolocker ransomware (created by Russian Mikhailovich Evgeniy Bogachev) sanctioned in 2016
- SamSam ransomware (two iranian cyber threat actors) sanctioned in 2018
- WannaCry 2.0 ransomware (North Korean Lazarus Group) sanctioned in 2019
- Dridex malware (Russian-based Evil Corp and its leader, Maksim Yakubets) sanctioned in 2019
This advisory notes OFAC will continue to impose sanctions on these cyber threat actors and others who materially assist, sponsor, or provide financial, material or technological support for these activities.
Under its enforcement guidelines, OFAC will consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome. OFAC encourages ransomware victims and those involved in addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.
During July 2020, I wrote an article describing how a successful ransomware attack is a symptom of a much larger problem; the failure of an enterprise wide cybersecurity risk management program.
Executives need to have a comprehensive understanding on whether or not their enterprise wide cybersecurity risk management program is effectively protecting the organization from all cyber threats including ransomware attacks.
The following are questions for Executives, whose responsibilities include enterprise wide cybersecurity risk programs, to consider for their next discussion with their organization’s CIO and/or CISO:
- Are all ransomware attacks (successful or not) reported to Executive Management and the Board of Directors?
- Is there a reporting protocol for ransomware attacks (successful or not) to be reported by the cybersecurity team to Executive Management and the Board of Directors?
- Does the organization have a policy on how to handle a ransomware extortion scenario including the individual(s) who will decide on whether this payment is made or not?
- Has the Executive Management team and Board of Directors been provided a detailed briefing on the current ransomware environment and the various methodologies used by today’s cyber threat actors?
- Does the organization’s cybersecurity team have a ongoing and robust relationship with federal law enforcement and other federal cybersecurity agencies (FBI, U.S. Secret Service, DHS CISA)?
- has the CIO/CISO informed all cybersecurity team, business unit leadership teams, and the organization’s internal audit team of this new OFAC advisory and its potential impact to the organization?
If your Executive Management team or Board of Directors need assistance in discussing this issue or any other cybersecurity issues, please contact Pete Cordero at the Hacking The Cyber Threat cybersecurity consulting firm.
For more details, please review the October 1, 2020 U.S. Department of Treasury’s OFAC Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.