Ransomware Victims Who Pay the Ransom Could Face Millions in Fines
Most organizations hit by a ransomware attack would consider themselves victims. However, those that pay the ransom to recover their data could be fined millions of dollars for violating federal regulations.
Ransomware is a form of malware that encrypts or otherwise blocks access to a victim’s data. The attacker then demands a ransom in exchange for the decryption key. Law enforcement agencies and cybersecurity experts have long advised victims not to pay the ransom. There’s no guarantee that they’ll get their data back, and the payment will likely embolden the criminals to launch future attacks.
Now the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has issued an advisory warning of potential penalties for making or facilitating ransomware payments. The October 1, 2020 advisory warns that OFAC has sanctioned numerous cybercriminals, including those who perpetrate ransomware attacks and those who sponsor, support, or assist in their activities.
Direct and indirect transactions with these sanctioned groups are prohibited by multiple laws and regulations, including the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701–1706, and the Trading with the Enemy Act (TWEA), 50 U.S.C. §§ 4301–4341. Any U.S. person or entity who runs afoul of these laws may be subject to significant civil fines or criminal penalties.
Scope of OFAC Sanctions
OFAC has been called “the most powerful yet unknown agency in the U.S. government,” with broad authority to block and seize assets, prohibit business activities, and implement trade restrictions. OFAC sanctions encompass a dozen countries and geographic areas, and target such national security threats as terrorism, narcotics trafficking, and transnational criminal organizations.
OFAC also maintains a list of more than 6,000 Specially Designated Nationals and Blocked Persons (SDNs) that U.S. persons and entities are prohibited from dealing with regardless of their location. Often, the connections between SDNs and sanctioned governments and groups can be difficult to trace, and OFAC is continually adding to the list. The slightest nexus to OFAC sanctions is sufficient to trigger an enforcement action.
That makes it easy to violate the law unwittingly. Offenses under the IEEPA, TWEA, and related laws are based upon a strict liability theory—a person or entity may be subject to penalties without knowing that the transaction is prohibited. Furthermore, the law applies to foreign nationals within the U.S., foreign branches and subsidiaries of U.S. companies, and U.S. citizens and permanent resident aliens employed by foreign companies.
OFAC has virtually unfettered authority to enforce sanctions. If OFAC has reason to believe that a U.S. person or entity has conducted a prohibited transaction, the agency will issue a notice of intent to impose a monetary penalty. The recipient must respond in writing within 30 days, then OFAC will decide whether sanctions have been violated. Courts almost always side with OFAC decisions.
Ransomware Payments: Doing Business With the Enemy
Ransomware payments are a logical extension of OFAC policy. Ransomware has become a significant source of revenue for criminal organizations, terrorist groups, and state actors that represent significant national security threats.
The OFAC advisory notes that ransomware attacks have been linked to the Lazarus Group, a cybercrime operation sponsored by North Korea. According to U.S. authorities, there is evidence that North Korea uses the profits from ransomware attacks to fund the production of weapons of mass destruction.
OFAC has also sanctioned Evil Corp., an international network of at least 17 elite cybercriminals that developed advanced malware called “Dridex.” Evil Corp. used the malware to access the login credentials of employees in financial institutions worldwide and steal $100 million from consumers and businesses. The group is also associated with the WastedLocker ransomware, which has been used to attack at least 31 U.S. organizations and demand ransoms of $500,000 to $1 million per attack.
Given the shadowy underworld of cybercrime, ransomware victims who opt to pay the ransom face significant risk of unknowingly dealing with sanctioned individuals or groups. The OFAC advisory also notes that any person or entity that facilitates a ransomware payment, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, may be subject to an enforcement action.
The Growing Ransomware Threat
The risk is exacerbated by the fact that ransomware attacks are skyrocketing. The FBI’s Internet Crime Complaint Center (IC3) has received 3,000 to 4,000 reports of cyberattacks daily since the beginning of the COVID-19 pandemic, four times pre-pandemic levels.
Cybersecurity firm Monstercloud has seen an 800% increase in ransomware attacks since the pandemic forced a rapid, wide-scale shift to remote work. Check Point Research reported a 50% increase in ransomware attacks in the third quarter of 2020 compared to the first half of the year, with six new victims every minute.
Many of these attacks—including Evil Corp.’s WastedLocker ransomware—have exploited security vulnerabilities created by work-from-home models. The malware is often spread via phishing emails that trick victims into clicking on malicious content that appears to provide information related to the pandemic or economic stimulus payments.
Ransomware was already on the rise before the pandemic, due in part to increases in the number of victims willing to pay the ransom. A study by CyberEdge Group found that 58% of victim organizations paid the ransom in 2020, up from just 39% in 2018.
Given OFAC’s sanctioning of cybercriminals who launch ransomware attacks, organizations have another reason to think twice before negotiating with extortionists. The OFAC advisory encourages ransomware victims to contact the agency before making a ransom payment that could result in significant financial penalties.
Learn More About Cybersecurity and the Law
Cybersecurity legal experts will be increasingly needed in both the public and private sector, especially as we navigate the pandemic and the rise of remote work. Purdue Global Law School offers an online Executive Juris Doctor program for those who have no intention of becoming a practicing attorney. The program includes a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available. Request more information today.