Victims of ransomware schemes and financial institutions could violate sanctions or anti-money-laundering rules—and face stiff penalties—if they facilitate or make payments to attackers, the U.S. Treasury Department said in a pair of advisories Thursday.
The notices, issued by units of Treasury’s Office of Terrorism and Financial Intelligence, warned victims and businesses that assist them to be particularly wary of making ransomware payments to blacklisted individuals and entities, including hacker groups in countries such as Iran, North Korea and Russia.
The advisories come on the heels of high-profile ransomware attacks that have disrupted schools, hospitals and global shipping in recent days.
Attackers took systems offline at Universal Health Services Inc., one of the largest hospital chains in the U.S., forcing it to cancel some surgeries and divert ambulances. Hackers released Social Security numbers of Las Vegas-area students after school officials declined to pay them ransom. French shipping company CMA CGM SA said it shut down its main booking platform and delayed some cargo deliveries in response to a breach.
Successful ransomware attacks allow hackers to hold companies’ computer networks hostage, typically by encrypting internal data, and extorting payments in exchange for restored access.
Many companies pay off attackers if losing the data would cripple their businesses, but the decision to pay can be particularly vexing when the attackers are under sanctions by the U.S. government.
Paying them would be a violation of U.S. law, presenting the possibility of steep penalties. And the Treasury is unlikely to grant special licenses to allow a payment to a blacklisted attacker, according to one of the advisories, issued by the department’s Office of Foreign Assets Control, which enforces sanctions.
“Such a payment would likely directly benefit a sanctioned person and damage U.S. national security, and so OFAC does not want to authorize such transactions as a matter of course,” said Eric Lorber, a vice president at advisory firm K2 Intelligence Financial Integrity Network and a former senior adviser to the Treasury’s undersecretary for terrorism and financial intelligence.
The Treasury’s warnings suggest the agency could take a harder line on enforcement in the future, cybersecurity experts said.
“This announcement is absolutely going to cause significant waves and push companies to reconsider whether paying is an option,” said Charles Carmakal, chief technology officer of cybersecurity firm FireEye Inc.’s consulting arm, Mandiant.
Ransomware and corresponding financial demands have surged in recent years. The Federal Bureau of Investigation said the number of such attacks reported to the agency grew by 37% from 2018 to 2019, leading to a 147% increase in corresponding financial losses.
“It’s worse today than it’s ever been before,” Mr. Carmakal said. Attackers frequently demand more than $1 million now, he added, sometimes topping $10 million with Fortune 1000 companies.
The Treasury’s advisories highlighted threats from cybercriminal groups such as the Russia-based Evil Corp and North Korea-backed Lazarus Group. As companies have added security measures and backed up data to ward off such groups, they have grown increasingly organized as they expand their scope internationally, cybersecurity experts say.
One of the advisories, from the department’s Financial Crimes Enforcement Network, identified red flags to help financial institutions detect possible ransomware. Financial institutions are required to file reports that identify suspicious transactions, including those potentially involving ransomware or other criminal activity. Such suspicious activity reports, or SARs, are intended to help federal officials disrupt the flow of money to terrorists, drug traffickers, arms proliferators and other bad actors.
The OFAC advisory reminded victims and companies—including those offering cyber insurance or involved in ransom payments—that their sanctions compliance programs should consider risks related to engaging blacklisted entities.
OFAC also encouraged companies to report ransomware attacks to law enforcement, noting that self-reporting and cooperation with investigators would be considered mitigating factors in potential punitive action, which could include fines.
Many companies don’t report those payments for fear that authorities will shut down transactions needed to regain crucial business data, said Al Saikali, chair of the privacy and data security practice at law firm Shook, Hardy & Bacon LLP.
Despite federal scrutiny of such payouts, some companies might approach third parties overseas to make ransomware payments on their behalf, said Karen Sprenger, chief operating officer for the cybersecurity consulting firm LMG Security.
That could help avoid detection by U.S. authorities, she said. But the OFAC advisory said a firm can face penalties “even if it did not know or have reason to know” it was paying off a blacklisted group.
“Even if you’re not paying them directly, if you’re using a third party to facilitate a payment, you can still be held liable,” Ms. Sprenger said.
Ms. Sprenger, who is also her firm’s chief ransomware negotiator, said companies evaluate whether to pay attackers on a case-by-case basis. Businesses need to know if hackers can actually decrypt the data they have targeted, she said, and if they will try to embarrass companies by publicizing sensitive information.
“If it’s extortion and just extortion,” she said, “I’m more reluctant to have [companies] pay.”