If you have been paying any attention to headlines about cyber attacks, you have seen an uptick in stories about ransomware. Just last week, there were stories about Universal Health Services being hit by one and another story about how CCSD had personal information released after refusing to pay in a ransomware attack. While it was already a difficult business decision to decide (even life or death in some situations) whether to pay up when hackers hold your system or information hostage, a new advisory from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) makes it even trickier. (You can read a short summary of it at ZDNet.)
Here’s what you need to know from the new guidance issued by OFAC. First, “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Translation: If you are involved in any way in paying a ransom, you increase the chance of future ransom demands and you risk violating OFAC rules. This means if you are not the one making the payment, but are merely facilitating the payment (financially, technologically, etc, you could still be violating OFAC’s rules.
Second, under the authority of various laws (including IEEPA and TWEA), “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities” designated by OFAC. “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Translation: There are laws that say you can’t give money to certain individuals on OFAC’s naughty list and if you violate those laws, you can be be hit with fines even if you didn’t know you were breaking those laws. The fact that OFAC is mentioning strict liability in this advisory is fair warning that we can expect to see examples made of someone who unknowingly breaks the law by paying parties to which is payment is prhobiited.
Third, “Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.” Translation: If you do break the rules, you may get a lesser punishment if you contact and work with law enforcement. It’s important to note that it says the cooperation must be self-initiated–which means that if your friendly neighborhood cybersecurity researcher or tech reporter notifies you about an incident involving you, but you don’t do anything until they’ve turned it into a headline, you may not get the full benefit of cooperating with law enforcement.
Finally, “Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.” Translation: If your data is held hostage by someone on the OFAC naughty list, you can still ask OFAC for permission to pay the ransom, but OFAC will start from a position of saying no. If you know that the party seeking a ransom payment is subject to sanctions and you still want to pay it, you’re probably better off getting permission from OFAC rather than seeking forgiveness later. However, as has always been the case with ransomware payments, this is ultimately a business decision that you and your company will have to make in your own best interest. Now, at least, you have some guidance from OFAC to help you weigh the consequences of making a ransomware payment.