If you pay off the hackers behind a ransomware attack, you could be violating US sanctions, according to the US Treasury Department.
On Thursday, the department issued a five-page advisory about companies facilitating ransomware payments, and how doing so can violate US law. That’s because the US government has increasingly been sanctioning the hackers behind major cyber attacks to prevent businesses, such as banks, from supporting their activities.
For example, the sanctions have targeted the North Korean hackers behind the WannaCry outbreak in 2017, the Iranians who allegedly developed the SamSam ransomware, and the Russian blamed for creating Dridex, a malware strain also capable of delivering ransomware.
At the same time, the US has also sanctioned individual countries—including Iran, North Korea, Russia, and Syria—over national security concerns. As a result, making a ransomware payment to hackers based in the sanctioned countries could end up undermining US foreign policy objectives, the Treasury Department said.
If found breaking the sanctions, Individuals and companies can face civil penalties, including steep fines of $300,000 or more depending on the ransomware payment facilitated. But most importantly, the Treasury Department can hold someone liable for breaking the law even if they were unaware they sent a payment to a sanctioned entity.
The department issued the advisory with the goal of combating ransomware attacks, which have been terrorizing businesses, schools, and governments for years now. On Sunday, a major healthcare provider—Universal Health Services—was also hit in a ransomware attack, which has shut down computers across its 400 hospitals.
With today’s advisory, the department is trying to dissuade victims from paying up, which can incentivize ransomware hackers to strike again. Treasury officials also released a second advisory to tell banks and cyber insurance companies to report any suspicious transactions involving ransomware payments to federal authorities.
Assuming banks and cryptocurrency platforms abide by the advisory, the Treasury Department could get a window into who’s making ransomware payments. Whether Treasury officials go after a US company for making a payment will depend on whether the actual ransomware attack was reported to law enforcement and if they were cooperative during the investigation.
“Efforts to detect and report ransomware payments are vital to prevent and deter cyber actors from deploying malicious software to extort individuals and businesses, and to hold ransomware attackers accountable for their crimes,” the department said in today’s announcement.
Still, the new advisories from the Treasury Department may do little to stop the ransomware threat. According to Fabian Wosar, a ransomware expert at security firm Emsisoft, many companies that help victims negotiate ransomware payments are already in contact with the Treasury Department’s Office of Foreign Assets Control (OFAC) about their activities.
“In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he told security journalist Brian Krebs. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”
