Paying off ransomware? Better make sure you’re not breaking the law

It’s finally over…or is it? Paying off a ransomware gang to get a decryption key could be just the start of a victim’s troubles.

The Treasury Department’s Office of Foreign Assets Control (OFAC) maintains lists of individuals and organizations that US entities are proscribed from conducting business or transacting with, whether directly or through intermediaries owned and controlled by them. That means that while some sanctioned parties are obvious—like Russia’s FSB intel agency or pretty much any group from North Korea—there’s a risk of violating the law whenever ambiguity arises.

Sanctions violations are also strict liability concerns, meaning violating them, even by genuine error or ignorance, can be a big problem. OFAC has listed only a few ransomware gangs, like Conti, and determining whether an unlisted attacker is actually tied to a sanctioned group is difficult.

Ryan Fayhee, a former Justice Department official who is now a partner at Hughes Hubbard & Reed specializing in sanctions issues, told IT Brew: “It’s not just, ‘I think I figured out which entity attacked me, as a victim I’ve run that through the screening list, and I’ve come to the conclusion that they’re not listed on it.’ It’s a little more complicated than that, even in the traditional setting and not in the middle of a four-alarm fire like these matters typically are.”

The Treasury has warned about the risk of sanctions-prohibited ransom payments since 2020, but in September 2021, OFAC published updated guidance, reassuring potential targets there are mitigating factors it may take into account before making decisions on enforcement actions. Those include active sanctions compliance programs, “meaningful steps” towards reducing the risk of attacks, and prompt notification of police after one happens.

‘There’s risk there.’ OFAC hasn’t taken any public actions against a US company for shelling out a proscribed digital ransom—but the warnings were certainly intended as a reminder they could.

Fayee said OFAC’s warnings weren’t necessarily directed at victims, but third parties like insurance companies, attorneys, security firms, or negotiation and payment providers who handle the logistics of paying off an attacker.

The Treasury “really wanted to put on notice those service providers who are in a position to know whether there are sanctioned parties behind a ransomware attack,” Fayhee told IT Brew. “And therefore, if they facilitate that payment, without notifying law enforcement, notifying OFAC, and everything else on an emergency basis, there’s risk there.”

Michael J. Waters, a litigator at Polsinelli’s privacy and cybersecurity practice, told IT Brew that “very few of our clients these days are making ransom payments on their own” and third parties are all “asking for OFAC due diligence.” He added some negotiation vendors have refused to make payments for their clients due to similarities between the attacker and a sanctioned group.

Transparency is key. The recent conviction of a former Uber exec accused of secretly paying off hackers to avoid disclosing a breach to regulators and shareholders illustrates the risk of a target trying to dodge external scrutiny.

“The way that I interpret that guidance is [that] an organization’s ransomware readiness program shouldn’t just be, ‘If we get hit by ransomware, we’re going to pay for a decryption key,’” Waters said. “If an organization has not taken those steps, the [Treasury] department is likely going to be a bit less sympathetic with them if they do have to make payments.”

“First and foremost, call law enforcement,” Fayhee warned. “Share what information you have, and be very cautious before making payments. Because if you’re presented with a known sanctioned entity, you should do something with that information before facilitating a payment by a US person.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.