In a first-of-its-kind announcement, the UK Foreign and Commonwealth Development Office (FCDO) has announced sanctions against individuals from two renowned ransomware groups, “Conti” and “Ryuk”. This means that payments to these groups could incur heavy financial penalties and even result in criminal prosecution. The announcement marks a change in policy around sanctioning cyber actors which previously had only designated state actors.
In recent years, ransomware has become one of the biggest cybersecurity concerns for organisations which fear the significant disruption, costs, regulatory and reputational issues that these kinds of attacks often result in. Businesses should consider their response plans for a ransomware attack both in terms of technical remediation, but also in terms of public communications, regulatory and sanctions guidance.
Sanctions
The UK sanctions regime applies geographically and also to UK citizens overseas as well as all bodies incorporated or constituted under the law of any part of the UK. Accordingly, the prohibitions and requirements imposed by the Regulations apply to all companies established in any part of the UK. They also apply to branches of UK companies operating overseas.
What is ransomware?
Ransomware groups launch attacks against businesses which involve compromising network security, stealing and encrypting files and then making anonymous extortion demands to victims. A whole industry has grown up around the crime, including groups which specialise in initial access to networks, selling this on to other groups who target and encrypt the files, as well as managing communication and payments with victims. "Ransomware-as-a-service" business models ave meant thousands of groups now have access to sophisticated tooling to carry out attacks, paying a cut to the developers. Communications are typically managed via chat mechanisms on dark web hidden services. Payments are made through cryptocurrencies, considered a more anonymous and irreversible way of extorting victims.
Simultaneously, many groups now also practice "double extortion" stealing files and using the threat of making these public as further pressure, sometimes requesting a further payment for victims to avoid this. Groups operate "shame sites" on which they will publicise attacks and make data available for download or sale.
The evolution of sanctions against cyber actors
In 2018 (ancient history in terms of cybercrime), the US Office of Financial Assets Control (OFAC) designated sanctions against two Iran-based individuals and their associated cryptocurrency wallets for their alleged involvement in the SamSam ransomware – at the time, a prolific threat. The sanctions coincided with indictments alleging the case against the two actors.
Since then, the US has continued to sanction ransomware groups and other international governments have followed suit. In 2019 alongside indictments against the actors, the so-called "Evil Corp" cybercrime group, thought to be responsible for multiple malware and ransomware variants and attacks including the Dridex banking malware and REvil and Lockbit malware.
In 2020, the EU followed suit and announced sanctions against groups behind the "WannaCry" and "NotPetya" attacks which impacted multiple global organisations. These attacks were not thought to be financially motivated and were more likely the work of nation state cyber operations.
The UK itself developed its own cyber sanctions regime. The Cyber (Sanctions) (EU Exit) Regulations 2020 came into force in December 2020. They were designed to prevent threats which seek to undermine to the national security of the UK, cause economic loss, impact the functioning of international and non-governmental organisations and impact a significant number of people.
There are still issues with the effectiveness of payment restrictions. Anecdotally it seems that third party countries and payment providers may have been used to mitigate sanctions risk when paying these groups. Potentially, the relationship between those paying and being paid could be seen as too close. When fees are based on a percentage of a payment being made it is hard to see how the incentives for sanctions compliance and victims are aligned with those profiting from the payment.
UK nationals working for cyber security providers in this area must also be careful. It is prohibited to intentionally participate in any activities if you know that the object or effect of them is directly or indirectly to circumvent sanctions.
Despite these goals, up to this recent announcement, the list of designated entities appeared only to contain actors associated with state-sponsored espionage, rather than financially motivated cybercrime.
This new announcement draws a line in the sand to disrupt their activities and prevent them benefiting from their crimes.
What are the issues in sanctioning cybercrime groups?
Sanctions may be seen as the first step towards legislating against ransomware payments. Industry bodies and policymakers remain divided on this issue, with some seeing the banning of payments as further punishing victims, some of whom may be facing existential threats to their businesses.
Some see banning payments as the only way in which ultimately these groups' motivation to continue carrying out attacks can be quelled. Heartening statistics have showed that businesses appeared less prepared to pay ransomware extortion demands than they were. The factors that may have affected this include the disincentives that sanctions have brought but also the cyber insurance market's reduced willingness to pay out.
Regardless, the strategy of sanctioning cyber actors is not without its challenges. The US has led the way in designating cyber actors with sanctions highly dependent on intelligence and indictments from law enforcement. Building these cases can take years as it requires a high degree of confidence and certainty and unlike many other criminal cases, the individuals behind the groups are often in overseas jurisdictions, or anonymous.
Ransomware groups are also prone to quickly changing their tactics, malware and branding. The REvil group were thought to have done this in 2022 and other groups have quickly pivoted to take down their sites and possibly change their names in response to enforcement action. Indeed in 2020, the sports technology company Garmin reportedly paid a ransom for $10 million to the operators of the "WastedLocker" ransomware, who were suspected by some to be the same group as the sanctioned Evil Corp. This "muddying of the waters" plays into the hands of the attackers, who can hide behind the ambiguity of naming conventions and attribution to ensure they still get paid.
What do the new sanctions mean for UK businesses?
Ultimately, the new sanctions are yet another consideration for UK businesses who become victims of these ransomware groups. Alongside regulatory reporting concerns for the loss of personal data, the risk of breaking sanctions should be carefully considered to avoid fines and possible criminal legal actions. This can include action against individual employees or partners of companies. Attempts to circumvent the restrictions can also be punished.
Making a payment to a sanctioned entity is now a clear risk. In line with the NCSC guidance, MDR Cyber does not recommend the payment of a ransom, but recognise that organisations may choose their own course of action.
Steps should be taken to ensure that the identity of those being paid is understood (as much as is possible), including the payment mechanism used, such as specific cryptocurrency addresses. This should include other connected addresses or intelligence, not just a check whether an account or cryptocurrency address is on the sanctions list. A simple ‘sanctions screen’ is not likely to be enough and may not be a credible defence if a payment is found to be in breach.
Victims of ransomware attacks should ensure they have qualified and accredited incident response teams on hand to help with the technical remediation of such an attack. Legal advisors are also vital for assisting with sanctions decisions, as well as other legal options such as the pursual of legal injunctions and making reports to the UK authorities.
For more information about the assistance that Mishcon de Reya and MDR Cyber can provide in such cases, please contact mdrcyber@mishcon.com.