Businesses, governments, and organizations damaged by the ransomware attack already have a new concern to fight – a huge fine from the U.S. Department of Treasury in case they pay to get their data.
Treasury Department officials made that official guideline in an advisory published on Thursday. It warns that payments made to specific entities or to any entity in certain countries ̵1; in particular, those with designated “penalty penalties” – may be subject to the payment of financial penalties imposed by the Office of Foreign Affairs. Assets Control, or OFAC.
The ban applies not only to the infected group but to any companies or contractors that work with security or group insurance, including insurance providers, digital forensics, and incident response, as well as all financial services. which will help facilitate or process ransom payments.
“Facilitating a ransomware payment demanded as a result of malicious cyber activities can enable criminals and adversaries with a penalty to benefit and advance their illicit purposes,” the advice states. “For example, ransomware payments made to penalties or to comprehensive authorized jurisdictions may be used to fund activities that are contrary to national security and U.S. foreign policy purposes. Ransomware payments can also empower cyber actors to make future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data. “
Under the law, people in the US are generally prohibited from directly or indirectly engaging in transactions with persons or organizations on OFAC’s Designated Nationals and Block Persons List, other prohibited lists, or in Cuba, Iran, North Korea, and other countries or regions. In recent years, the Treasury Department has added several well-known cyber threat groups to its designation list. They include:
To pay or not to pay?
Law enforcement officials and security consultants generally advise against paying ransomware demands because payments are just funds and encourage new attacks. Unfortunately, paying the ransom is often the quickest and most expensive way to make up for it. Baltimore City lost more than $ 18 million after it was locked into its IT systems. The attackers behind the ransomware demanded $ 70,000. In response, some claimant companies offering incident response services for ransomware attacks only pay the attackers.
Thursday’s advice did not say that people are prohibited in all cases from paying ransom.
“Under the OFAC Implementation Guidelines, OFAC will also consider an initiated, timely, and complete report of a ransomware attack on law enforcement as a significant mitigating factor in determining an appropriate enforcement outcome if the situation is decided to have penalties.nexus. OFAC will also consider the full and timely cooperation of a law enforcement company both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible implementation outcome.
Thursday’s advice warns that there are other reasons not to pay. It further explains that the restrictions against paying ransom are much broader than many people can imagine. Fines can be obtained against any person of the United States who, regardless of location, engages in a transaction that causes a non-U.S. citizen to take prohibited action. The OFAC may also impose civil penalties based on “strict liability,” a legal principle that is liable to the person or group even if they do not know or have reason to know that they are in contact with a person prohibited under penalty laws.
“As a general matter, OFAC encourages financial institutions and other companies to implement a risk compliance program to reduce exposure to penalties-related violations,” the advice states. “This also applies to companies that deal with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and emergency response, and financial services that may be involved in processing payments. ransom (including deposit institutions and monetary services. “
The advisory went on to say that people will not be punished in all cases for ransom payment. In some cases, victims may receive a dispensation in advance for the payment of a ransom. In other cases, violations can be forgiven or mitigated.
“Under the OFAC Implementation Guidelines, OFAC will also consider an initiated, timely, and complete report of a ransomware attack on law enforcement as a significant mitigating factor in determining an appropriate enforcement results if the situation is decided to have penalties. nexus, “officials said.” OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attacks become a significant mitigating factor when evaluating a possible implementation outcome. “
Post posted to add the last two paragraphs.