US Treasury Advisory: Sanction Risks for Paying Ransomware Operators
According to a recent advisory from the US Treasury Department's Office of Foreign Assets Control, organizations that pay ransomware demands to certain groups could be fined if the recipients of the payments are under economic sanctions. The rule applies not only to the organizations that suffer the attacks, but also to the third-party companies they bring in to help manage the problem.
This is a very big deal. It can give you the justification at the most senior levels of your organization to implement the CIS Critical Security Controls this year.
OFAC rules and consequences around foreign transactions to sanctioned entities can be substantial. Develop a risk-based approach to support the payment decision now, as John enumerates, before it is needed, including consideration of sensitive data being released. Additionally, include reporting and cooperation with law enforcement in your response plan as this can mitigate the weight of any OFAC enforcement outcome.
This is consistent with the FBI's updated guidance on dealing with ransomware, which came out in Oct 2019: "... the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement." The reminder that payments to sanctioned entities may incur fines was added here. However, the Treasury advisory still says "...OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," and points to a May 2019 compliance framework requiring demonstration of (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training - essentially security hygiene: Bottom line: prevention of ransomware will always end up costing less than incurring or paying off successful attacks.
Ransomware attacks must be resisted, not merely mitigated. They constitute a risk that must be reduced, not simply assigned to underwriters.
William Hugh Murray
Read more in
Read more in:
Bleeping Computer: US govt warns of sanction risks for facilitating ransomware payments