Fraud Management & Cybercrime , Fraud Risk Management , Ransomware

Treasury Dept. Warns Against Facilitating Ransom Payments

Banks, Cyber Insurers, Others Warned Against Playing a Role
Treasury Dept. Warns Against Facilitating Ransom Payments

A U.S. Treasury Department advisory issued Thursday offers a reminder that financial institutions, cyber insurance firms and others that facilitate a ransom payment after a ransomware attack could face federal penalties. But the warning isn't necessarily a sign of a looming enforcement effort, some cybersecurity experts say.

See Also: Webinar | Financial Institutions Seek a Step-In Approach to Sensitive Unstructured Data Compliance and Security

"I think this is much ado about nothing," says Roger Grimes, data-driven defense evangelist at the security firm KnowBe4. "The United States has long had the laws in place that apply to paying money, ransom or any financial interest or business dealing to people on the Treasury's anti-corruption list. Ransomware is no different."

Charles Carmakal, senior vice president and CTO with FireEye Mandiant, calls ransomware "the most significant and prevalent cybersecurity threat facing corporations today." But he says it's already well known that paying or facilitating a ransom to a threat actor can be a violation of the Treasury Department's Office of Foreign Assets Control regulations that could result in penalties.

Few Details Offered

The Treasury advisory notes that banks, insurers and others that negotiate or facilitate any actions involving a ransomware payment could risk violating OFAC regulations, leading to an "enforcement response."

The agency did not offer details on penalty levels, saying each case would be addressed separately.

"Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries ... to profit and advance their illicit aims. Ransomware payments may also embolden cyber actors to engage in future attacks," the advisory states.

Threat Actors

The advisory warns that any entity that facilitates a ransomware payment to a sanctioned organization opens itself up to federal penalties.

The Treasury Department included a list of some threat actors that have been sanctioned. These include Cryptolocker developer Evgeniy Mikhailovich Bogachev, two Iranian nationals behind the SamSam ransomware, The Lazarus Group and two subgroups - Bluenoroff and Andariel - that launched WannaCry 2.0, and Evil Corp and its leader, Maksim Yakubets, that developed and distributed Dridex malware.

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the advisory says.

The Intended Impact

The advisory amounts to a "shot across the bow" warning of potential repercussions and not necessarily an indicator of increased enforcement, several cybersecurity experts observe.

"This advisory isn't a change in the law, but more a reminder of how the current law applies to ransomware incidents," says Tim Erlin, vice president of product management and strategy at Tripwire. "The Treasury Department is reminding the industry of the potentially big stick they've always had in their back pocket."

Ironically, several government agencies, police departments and state-funded educational institutions that have been victimized by ransomware have paid a ransom to regain control of their system, Erlin points out.

For example, the University of Utah recently paid a $457,000 ransom, Florence, Alabama shelled out $300,000 after a ransomware attack and the University of California San Francisco paid a $1.14 million ransom.

"These extortion demands are in the six-figure range for smaller companies and seven to eight figures for larger companies," Carmakal of FireEye Mandiant says. We are aware of several victim organizations that paid extortion demands between $10 million and $30 million."

KnowBe4's Grimes says he's not aware of any organization that's been prosecuted for paying a ransom or facilitating a ransom payment. "The U.S. government would have to prove that the victim knew who the ransom was paid to ... and that is unprovable in cases of ransomware," he says.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.