01
Oct 20

Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today.

Image: Shutterstock

In its advisory (PDF), the Treasury’s Office of Foreign Assets Control (OFAC) said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

As financial losses from cybercrime activity and ransomware attacks in particular have skyrocketed in recent years, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

Those that run afoul of OFAC sanctions without a special dispensation or “license” from Treasury can face several legal repercussions, including fines of up to $20 million.

The Federal Bureau of Investigation (FBI) and other law enforcement agencies have tried to discourage businesses hit by ransomware from paying their extortionists, noting that doing so only helps bankroll further attacks.

But in practice, a fair number of victims find paying up is the fastest way to resume business as usual. In addition, insurance providers often help facilitate the payments because the amount demanded ends up being less than what the insurer might have to pay to cover the cost of the affected business being sidelined for days or weeks at a time.

While it may seem unlikely that companies victimized by ransomware might somehow be able to know whether their extortionists are currently being sanctioned by the U.S. government, they still can be fined either way, said Ginger Faulk, a partner in the Washington, D.C. office of the law firm Eversheds Sutherland.

Faulk said OFAC may impose civil penalties for sanctions violations based on “strict liability,” meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

“In other words, in order to be held liable as a civil (administrative) matter (as opposed to criminal), no mens rea or even ‘reason to know’ that the person is sanctioned is necessary under OFAC regulations,” Faulk said.

But Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury’s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and/or third-party security firms.

Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.

“In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he said. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”

Along those lines, OFAC said the degree of a person/company’s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

Tags: , , , , , , , ,

58 comments

  1. how do we not know that ransome payments are not tax invasions?

    just curious?:)

  2. Have you looked at the protection that Cyber Crucible offers with their Ransomware Rewind solution?

  3. The only way we will ultimate change adversarial behavior is to change the economics for the bad guys. Treasury Department is stepping up to use their authorities in a new way that could significantly reduce ransomeware against US targets. Simply put, if you are not going to get paid, why do it. Thesis of a TED talk I did about 5 years ago https://www.ted.com/talks/caleb_barlow_where_is_cybercrime_really_coming_from?language=en

    • Ironic that you mention healthcare industry response to pandemic 5 years ago. With what is going on now it seems like we went backwards in healthcare and security from when the ted was made. I enjoyed it and it made sense to me anyway I hope more listen to it.

    • Yes, the economics right now favor paying the ransom. I wrote about this here:

      https://security-economics.com/2020/08/19/ransomware-economics-101/

      Regulations can change the economics, but not allowing ransom payments can result in disasters:

      https://security-economics.com/2020/08/31/ransomware-economics-201/

      The ongoing UHS ransomware incident details are not well known yet, but it will be among the most consequential cyberattacks of the last decade.

      • Agree with your statements. I have been at odds with Fed’s positions to not pay forever, especially for those without adequate backups. Look at the extreme costs to the cities that didn’t pay, and the inconvenience to their citizens (not able to have services).

        Paying or not paying does not change the behavior, contrary to what was said above. Costs to inflict are negligible – and someone doesn’t pay, they just move on. It’s a shotgun approach.

        • Paying criminals blackmail is illegal. There are reasons for that.
          You can be ‘upset’ with that ‘position’, but it’s not changing much.

          They’re doing the infecting to get the payout.
          Paying it out encourages the strategy, defacto.
          There’s no semantic-opine way out of that.

    • You sound like a true cunt, btw check out this random talk I did, blah blah blah

    • You live in the academic world, Caleb.

      Here in the real world, a firm with turnover of hundreds of millions or billions of dollars annually does their own cost/benefit analysis of being completely shut down for 3-4 weeks or more and may opt to pay the ransom as the least bad choice.

      If you and government are prepared to restore the victim’s systems and their loss of profits and productivity and extra expenses, then you pay to “change the economics for the bad guys”, don’t hold the victims ransom twice – once by the cyber criminals and then again by the very government that’s supposed to protect them.

  4. This has to be the dumbest thing ever. How in the hell does anyone know “who” is on the receiving end?

  5. I get so tired of hearing about these fools getting ransomware, when they could prevent it, that I quit feeling sorry for them. I regret the damage it does to health organizations, but they can get fined for HIPAA violations too – maybe I don’t feel so sorry for them either. They should protect the people under their health care, no matter what. It isn’t like the CEO or hospital administrator can’t go to a seminar on how to prevent ransomware attacks.

    • Seems you have no idea how cyber security works. Going to a seminar doesn’t magically make you immune from attack. Defenders have to plug thousands of holes, attackers only need to find one.

  6. This is insane … so if a guy comes up to on the street points a gun at you and demands payment … You pay him … The government finds out about it and levies a fine on you because you encouraged this bad behavior! How about blocking all traffic from know cyber-criminal nation states! Where does protecting your citizens and American business come in to it! Crazy … simply Crazy!

    • It’s pretty easy to hide the origin of your traffic. And, in any regard, the United States has consistently been among the top sources of cyber attacks, so if you’re looking to block traffic based on that…

      • But if “it is pretty easy to hide the origin of your traffic”, how do we really know that the US is in fact the origin of ransomware? Something more than merely seeing the metadata for the demand is necessary to determine the true origin of traffic.

  7. The government needs to go after Microsoft for making it so easy for ransomware to run on windows. Tools like applocker should not be paywalled behind Enterprise edition version of windows.

    • Jared,
      Linux ransomware has not made a big splash yet, but what is your plan for when Linux ransomware gains more traction, and potentially causes companies even more issues?

      • Easy to solve Linux security issues. Just wait until all the FSF advocates get home from their day jobs. They’ll get right on it.

  8. (although I agree people shouldn’t pay ransoms)
    So normal people can’t pay anyone that holds them for ransom, but governments put billions in payouts to countries and their rulers to keep them from being against us. Kinda hypercritical there uncle Sam.
    Now if dear old uncle Sam would put 50 cents of lead the scums heads, maybe ransomware would be rare.
    But alas, someone would replace them. You can’t force morality or ethics on those can’t understand them.

    • Try to have a single thought that isn’t based on a false premise.

      • Is it false that an assassinated hacker discourages others?
        is it false that it’s hypocritical to tell others not to pay bribes while doing it themselves?
        Is it false that another criminal will just replace them?
        Is it false that you can’t impose morality and ethics on those that can’t comprehend them.
        Oh wait, maybe you thought I was talking about you, and you were offended. To bad lol.

        • “Is it false that an assassinated hacker discourages others?”

          So far yeah. Try a real suggestion.

          • “So far yeah.”
            I don’t think anyone has gone that route yet. Closest I could find was hill dog put down Seth, but that’s not even close to tech criminals being assassinated, more like murdering a whistle blower. Time to call in the Blue Morpho.

  9. Let's think about this...

    So the same government that fails to protect US businesses from foreign threats (yes, there are some notable exceptions), and frowns on US companies counterattacking to get their information back, will penalize you for trying to surrender to the bad guys? No protection and no legal remedy = bad guys win; good guys go out of business and lay off their employees.

    Another point: there are many government organizations (fed, state, and local) which try to negotiate with the bad guys to get their information unlocked. Same rules apply to them?

    • Think Harder Plz w/ Scruples

      The US actually does a lot to protect, you know literally nothing about all of that effort? Seriously?

      Yes, if you pay/launder money for criminals you know are criminals, you are potentially committing a crime and should be sanctioned.

      People who try to use non-facts and vaguely-daisy-chained BS arguments to pretend the US is being unreasonable in cracking down on the lucrative source of money for hacking groups (which then get bigger, do not go away) are barely relevant to the decision.

  10. DelilahTheSober

    This seems ridiculous to me. What’s next, telling an assault victim that they should have pulled off their attacker’s mask? Since you didn’t try to identify the man who attacked you, we’re going to fine you.

    • It seems ridiculous to enforce laws against criminal activity?
      Ah, the Trump defense.

      • But is the victim in the example you replied to engaged in criminal activity? The criminal activity is the illegal demand for assets by a gun-wielding man on the street, not the victim, even though the victim knows when he complies, he is giving money to a criminal as a result of criminal activity, and a reasonable victim must know that giving money will encourage more criminal activity.
        I can imagine this as a law exam question, or a bar exam question. I can’t imagine an ethical District Attorney doing that.

      • Mealy, I KNEW you were a NEVER TRUMPER. I’m telling Mommy to dock you an extra tendie for your trolling.

    • @MyMyMyDeliah,WhyWhyWhyDeliah,

      Consider the case of Chiquita-Banadex in Colombia.

      https://opiniojuris.org/2007/03/15/what-did-chiquita-do-wrong/

      What Would Deliah Do?

      #Don’tCutMyHair

  11. I watched billions of dollars being spent on cybersecurity products and services over the years. Hackers actually buy them also to re-engineer them and determine their vulnerabilities. Regulatory Compliance is so vague in many cases that the Supplier or Service Provider carries no responsibility so they can sell you whatever and whenever.

    Public and Private Sectors must retool around Zero Trust Networks. Airgap Networks, http://www.airgap.io realized every company is or will be infected, so they produced a product that actually isolates and stops the proliferation of ransomware. It’s real. Stay Safe.

  12. The Sunshine State

    From today’s article on Bleepingcomputer (dot) com

    “For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

    • As my IT tech told me once, even if you pay, there’s no guarantee your computer system will be un-F***ed.

      • Several of the cryptolockers don’t even HAVE a way to unlock.

        The ones that do have a way still rely on the goodwill of criminals who have already had their payday and probably aren’t entirely interested in further contacts, for obvious reasons.

        Paying ransoms is for Marks. You need Liam Neesons instead.
        Failing that, keep a damn offline backup and do backup drills.

  13. Its good becouse any company can just write off the taxes by telling they payed crypto ransome.
    And then they cash out crypto over sees or spend oversees.
    The USA government has finally started to fight against tax invaders in usa.

  14. Poor security practice means you donor your data assests to elsewhere.

  15. It is going to be interesting to watch what happen with Garmin – they “might” have paid a $10M ransom to Evil Corp in July…

  16. It’s a valid challenge for sure, and OFAC is right to offer guidance. Nonetheless, the reality is that while states like Russia, China, NK and others continue to allow hackers to operate freely there is little choice to a firm that’s burning $100k per hour in downtime with no backups.

    If anyone is interested, I pulled together a rubric based on a game theory model from Caporusso.

    When should I pay ransomware? ARW, ProCircular, 2019:
    https://www.procircular.com/paper/ransomware-when-do-i-pay/

    Game theory citation:
    Caporusso, Nicholas & Chea, Singhtararaksme & Abukhaled, Raied. (2019). A Game-Theoretical Model of Ransomware. 10.1007/978-3-319-94782-2_7.

  17. Why is the article dated Oct 20th and it is only the 2nd?

  18. The government sure does like to get its hands into everything. How’s this for an idea?
    STAY OUT OF TRYING TO RUN PEOPLE’S BUSINESSES!
    If I want to pay a ransom for my data to |337h4x0r’$ bitcoin address, then the government should investigate THE RECIPIENTS BITCOIN ADDRESS.
    This will only get worse if Biden gets elected.

  19. Paying the ransom is not just to unlock the data. Ransomware can also send off a copy of the data to the criminal. Ransom can be demanded for it not to be released publicly. The mitigation for ransomware no longer includes just having good backups. Mitigation for ransomware has been elevated to requiring preventive measures.
    In some cases a company with excellent disaster recovery may be back in business in a day or two. But, If their trade secrets, customer lists, or other sensitive critical information were publicly released, it could mean going out of business or being otherwise severely impacted anyway.

    • There’s no guarantee that the secrets will be kept secret once paid.

      You’re relying on the honor of anonymous internet thieves.
      Do you really think they GAF about your concerns once paid?

      They may wait a few months before they dump it, to throw you off.
      They may not.

      Either way paying them makes you their willful victim, as opposed to just their defacto victim. If they are able to hack your organization and get to unguarded trade secrets and other sauces you have failed segmentation and compartmentalization in addition to IT best practices. Relying on criminals to plug your infrastructure gaps, on the payroll? Is… I mean, evaluate it.

      It’s patently retarded. It’s good money thrown after bad IT.

      • Spoken like a person who is definitely not the CFO or on the Board of Directors of a major corporation.

        It’s a nice academic and moral high ground thought, though, BBB.

        • You're no CFO, Senator

          Are you claiming to be the CFO or Board member of a major corp?

          (I own my own business FWIW, I don’t need to guess about you.)

          If you had an argument you’d have made it instead of, well,
          whatever your whiny slapfight attempt there was about.
          There’s no ‘moral high ground’ being appealed to here.

          You’re misreading. It’s about logical attack surfaces and disaster prevention/mitigation, and if you’re relying on a large payout to the cyber-criminals who hosed your organizational models to appeal to their “desire” to fulfill their side of that “bargain”…
          No offense, but you’re too simple to be in charge of lunch, really.

          Relying on the goodwill of criminals who have victimized you is retarded. Find an argument that isn’t retarded, “CFO guy” lol.

  20. For what it’s worth, using a theory of “strict liability” probably rules out punitive damages. It’s ordinarily used for situations involving well-known hazards. A farmer is strictly liable for paying for the damage if his bull escapes and busts up the village china shop. It doesn’t matter whether the fence was knocked down by a hurricane or the gate was left open by a trespasser. Bulls are inherently dangerous, and to keep one is to accept that strict liability.

    Punitive damages are also possible. But for the china shop owner to get those, he’ll have to prove negligence.

    I bet this strict-liability theory of fining ransomware victims will run into serious trouble from judges.

  21. This sounds like a good way to incentivize businesses to not report Ransomware attacks at all.

  22. Of all the companies that have been hit with ransomware, I’m surprised it wasn’t the banks since a lot of them don’t pay a lot of taxes, make lots of money from holding cash and loaning, and don’t really produce anything for the world. As much as I sound like robinhood, these ransomware attackers need some philosophy lessons – most of those ransomware victims were innocent companies.

Leave a comment