An increasing number of companies are falling victim to ransomware attacks and facing a nightmarish choice: Pay a ransom to a criminal group or suffer the consequences of the theft or exposure of sensitive data. Some of those criminal groups are also facing U.S. sanctions.
This week, the Treasury Department weighed in on this choice with two new advisories critical for companies considering paying hackers to resolve a ransomware attack. The advisories’ message is clear: Making ransomware payments may expose companies who suffered the attack, as well as advisory firms supporting them, to violations of U.S. sanctions or anti-money laundering/countering the financing of terrorism (AML/CFT) regulations.
The advisories, issued by Treasury’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC), discuss ransomware trends, how ransomware payments are typically made, “red flags” for financial institutions to identify ransomware payments, and how best to report and share information about ransomware attacks with the government.
Here are the key takeaways when contemplating paying a ransom, should your company fall victim to a ransomware attack:
- Always call the authorities. FinCEN and OFAC emphasized the importance of reporting ransomware attacks to facilitate investigations—even if your company runs afoul of Treasury regulations. OFAC’s advisory says that OFAC will weigh a company’s “self-initiated, timely, and complete report” of a ransomware attack to law enforcement in the company’s favor if a sanctions violation is later discovered. OFAC also encourages victims of ransomware attacks, and companies assisting victims, to contact OFAC if a request for a ransomware payment may involve a sanctioned entity. OFAC also recommends that companies report cyberattacks to Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if the attack involves a U.S. financial institution or disrupt a firm’s ability to perform critical financial services.
- Don’t count on a “Get Out of Jail Free” card. A number of the criminal groups carrying out ransomware attacks today have been targeted for sanctions by OFAC. As a result, paying ransoms to those groups would constitute a sanctions violation. While OFAC sometimes grants licenses that permit payments that would otherwise violate sanctions, OFAC does not guarantee that it will approve such licenses when it comes to ransomware payments. The advisory states OFAC will review license applications involving ransomware payments on a case-by-case basis with a presumption of denial.
- Everyone has to play by the rules. Both OFAC and FinCEN say advisory companies involved in ransomware response, such as digital forensics and incident response companies and cyber insurance companies, are particularly exposed to sanctions violations and other illicit finance risks because they may be involved in making ransomware payments. In some cases, they may need to register with FinCEN and follow FinCEN regulations that require them to report suspicious activity. OFAC also encourages these companies to have a risk-based compliance program to mitigate exposure to sanctions violations. If you are working with a digital forensics and incident response or cyber insurance company, confirm they are following Treasury regulations to protect your company’s reputation and avoid violations of law.
- Take your business elsewhere. FinCEN’s advisory details the channels that are used to make ransom payments, which typically include a combination of banks, money services businesses (MSBs), and convertible virtual currency. FinCEN’s advisory reminds financial institutions of the obligation to report suspicious activity, including when dealing with an incident of ransomware, and provides “red flags” to help financial institutions identify ransomware payments. While many financial institutions have long been wary of ransomware payments, the FinCEN advisory is likely to result in increased vigilance by banks and MSBs in particular. As a result, it may become even more difficult to find a way to make a ransomware payment.