The Treasury Department’s Office of Foreign Assets Control issued a new advisory Thursday warning banks, insurance companies, negotiators and others about sanctions risks from helping victims make ransomware payments.
OFAC said any company or individual that “facilitates” ransomware payments to sanctioned people, organizations, or countries could face prosecution or civil penalties.
The advisory was directed at financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.
U.S. persons (individuals and organizations) are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities OFAC has blocked, as well as those covered by OFAC’s “comprehensive country or region embargoes” (Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
OFAC has blocked “cyber actors” connected to ransomware, including:
- The alleged developer of ransomware known as Cryptolocker, Evgeniy Mikhailovich Bogachev. Cryptolocker infected more than 234,000 computers worldwide and held over 120,000 U.S. victims’ data hostage.
- Two Iranians who allegedly handled cryptocurrency payments connected with SamSam ransomware. It was used to attack the City of Atlanta, the Colorado Department of Transportation, and a large healthcare company.
- Two subgroups connected with a North Korea criminal organization called Lazarus Group. The subgroups — Bluenoroff and Andariel — were allegedly behind WannaCry 2.0. The ransomware infected about 300,000 computers in at least 150 countries.
- Russia’s Evil Corp. and its alleged leader Maksim Yakbets. Evil Corp’s Dridex malware harvested login credentials on computers at hundreds of banks in more than 40 countries, and resulted in about $100 million being stolen.
On Thursday, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) also issued a new advisory. It included ten “red flags” financial institutions should consider “in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks.”
OFAC’s advisory said civil penalties for sanctions violations are based on strict liability. That means . . .
. . . a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
Victims and those addressing ransomware attacks should contact OFAC immediately if the attack may involve “a sanctions nexus,” the guidance said. Attacks on banks and the financial system should also be reported to the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection. Any victims should also consider informing FinCEN, the FBI, the U.S. Secret Service Cyber Fraud Task Force, the Cybersecurity and Infrastructure Security Agency, and the Homeland Security Investigations Field Office
Sanctions can apply to U.S. persons wherever located. Certain sanctions can also apply to non-U.S. persons who cause a U.S. person to violate sanctions. And U.S. persons are also generally prohibited from facilitating actions of non-U.S. persons “which could not be directly performed by U.S. persons due to U.S. sanctions regulations,” OFAC said.
OFAC said it may consider “the existence, nature, and adequacy” of a sanctions compliance program when making an enforcement decision. The agency published a framework in late 2019 that describes essential components of a sanctions compliance program.
License applications involving ransomware payments will be reviewed on a case-by-case basis, OFAC said Thursday. There’s a “presumption of denial” because of national security implications: ransomware payments often fund criminal groups, can lead to further attacks on the United States, and don’t guarantee that victims will regain access to their stolen data.