There are civil liability risks, even if there was no knowledge of the link to sanctions.
The US Department of the Treasury has published its clearest message yet regarding ransomware payments and sanctions risks. An advisory statement published on 1 October 2020 emphasised the potential risks of paying ransomware groups to unlock files, warning that companies considering paying a ransom must be aware of the risks of violating Office of Foreign Assets Control (OFAC) regulations. These regulations apply even in cases where organisations did not know they were transacting with a sanctioned entity. The statement warned that the risks apply to a number of entities including financial institutions, cyber insurance, digital forensics and incident response firms, underlining the responsibility of these businesses to carefully consider the consequences of their actions and advice. Proactive reporting to law enforcement to mitigate steep penalties is also encouraged.
While the statement still leaves some room for interpretation, this communication clearly sets out the US Government’s approach to dealing with the issue: facilitating ransomware payment may enable criminals with a link to sanctioned entities to profit, encouraging and emboldening further attacks.
For some time leading up to this advisory, there was ambiguity about the risk of paying ransoms to possibly sanctioned entities. a prominent example is when sports technology company Garmin reportedly paid a multi-million dollar fee to recover its systems after being impacted by ransomware in August 2020. In this case the “WastedLocker” ransomware was suspected by many of having links a sanctioned group known as “Evil Corp”.
Several cybercrime groups and individuals with links to ransomware attacks now appear on OFAC sanctions lists. The first such appearance was Evgeniy Bogachev in 2016, who was linked to the “Cryptolocker” ransomware. Since then, the two suspected Iranian operators of the “SamSam” ransomware were sanctioned in 2018, the North Korean “Lazarus” group in 2019 for its connection to the WannaCry ransomware campaign and most recently “Evil Corp” in late 2019. The advisory also clearly states that ransom payments to entities covered by comprehensive country or region embargoes, such as those against Syria, the Islamic Republic of Iran, and the Democratic People’s Republic of Korea, would also violate OFAC regulations. This applies even in cases where the specific entity to which the ransom was paid is not subject to individual sanction.
The future of ransomware payment sanctions action
The huge recent increase in ransomware attacks (37%) and even bigger increase in losses reported by the FBI (147%) in the years 2018-19 has likely prompted this firm response by the US Government. It is likely that this stance will be maintained and we expect to see cybercrime entities being sanctioned more frequently in the mid to long term. This latest statement also clearly signals the intention by the US Government to begin a campaign of holding businesses and individuals to account for paying ransoms. We anticipate the first example of this to occur in the near future.
While other governments are yet to make such clear statements on the matter, in July 2020 the EU announced its first ever sanctions against cyber attackers and it is a realistic possibility that other international bodies and governments will follow the lead of the US.
What does this mean for UK businesses?
The potential fines for breaking US sanctions have been extremely steep in the past, with some banks facing multi-million dollar penalties as a result. While it is unlikely that businesses dealing with ransomware will face such high fines, the expected penalties are in the tens to hundreds of thousands in most circumstances.
Businesses and security leaders dealing with ransomware attacks should be aware of the risks of violating US or other sanctions when considering paying ransoms and how their jurisdiction of their operations can affect this. It is incumbent on them to understand as much as they can about the threat they are facing, including the specific type of ransomware and its possible origins, or links to other groups. Maintaining a good understanding of cyber threats to assist with incident response is vital.
Mitigating factors include businesses implementing a risk-based compliance program and a self-initiated and timely report to law enforcement.
MDR Cyber routinely work with our legal professional colleagues to help businesses prepare for and recover from the effects of cyber incidents and guide our clients through the difficult decisions that these entail.
This has been prepared for general guidance only, and does not constitute professional or legal advice. You should not act upon the information contained in this publication without obtaining specific professional or legal advice.