New US Regulatory Guidelines: Helping cybercrime victims pay ransom demands can violate sanctions

The US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a new advisory recently warning banks, insurance companies, negotiators and others about sanctions risks from helping victims make ransomware payments.

OFAC said any company or individual that “facilitates” ransomware payments to sanctioned people, organizations, or countries could face prosecution or civil penalties.

The advisory was directed at financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.

U.S. persons (individuals and organizations) are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities OFAC has blocked, as well as those covered by OFAC’s “comprehensive country or region embargoes” (Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).

OFAC has blocked “cyber actors” connected to ransomware, including:

• The alleged developer of ransomware known as Cryptolocker, Evgeniy Mikhailovich Bogachev. Cryptolocker infected more than 234,000 computers worldwide and held over 120,000 U.S. victims’ data hostage.
• Two Iranians who allegedly handled cryptocurrency payments connected with SamSam ransomware. It was used to attack the City of Atlanta, the Colorado Department of Transportation, and a large healthcare company.
• Two subgroups connected with a North Korea criminal organization called Lazarus Group. The subgroups — Bluenoroff and Andariel — were allegedly behind WannaCry 2.0. The ransomware infected about 300,000 computers in at least 150 countries.
• Russia’s Evil Corp. and its alleged leader Maksim Yakubets. Evil Corp’s Dridex malware harvested login credentials on computers at hundreds of banks in more than 40 countries, and resulted in about $100 million being stolen.

In a recent and parallel effort, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) also issued a new advisory. It included ten “red flags” financial institutions should consider “in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks.”

Whilst these regulatory advisories are only just coming into play in USA we think they will have parallel reverberations in Europe as well.  It is early to predict whether the advisories will achieve their objective in terms of i) disincentivising cyber criminals from financial extortion or ii) incentivising victims to up their security hygiene.  One sure thing in the short term is that victims will have a much tougher decision in front of them if they come to consider ransom payments as an option to recover their business data.

For further detail, we would invite our readers to also visit our partner’s Chainalysis blog article, by clicking the button below.