Financial losses by businesses to ransomware perpetrators are quickly on the rise. So, too, are the numbers of victimized companies. To help combat payments that could benefit what it calls “malicious actors,” the US Department of the Treasury has put out an advisory about federal regulations and penalties for victims, financial institutions, and anyone else who might “facilitate” ransomware payments.
Ransomware keeps revving up
The FBI has reported a 37% increase in disclosed ransomware cases between 2018 and 2019, plus a 147% annual increase in “associated losses.” This is according to the Office on Foreign Assets Control (OFAC), the arm of the Treasury Department which issued the ransomware reminder on October 1, 2020.
To OFAC as well as to many outside observers, it looks like the COVID-19 pandemic is only making the bad news even worse, with companies performing more of their business online these days. “Although the FBI has not released statistics for 2020, it is widely believed that these figures have increased by even larger margins over the course of the last year,” according to attorneys at Blank Rome LLP, one of a number of law firms that’s set out to explain OFAC’s guidance.
What should you do If you get hit?
You might be tempted to pay a bounty just to get your data back, or to keep attackers from revealing your company’s sensitive information. Don’t do that, though, OFEC strongly indicated. If you do pony up to the cyber shysters, you could also be forced to pay a government fine.
The OFAC alert makes it crystal clear that, even when made “under duress,” ransom payments are still covered by its “sanctions” regulations. These stipulations restrict dealings with “certain targeted countries, regions, entities, and persons on grounds such as foreign policy, national security, and combatting weapons proliferation, transnational crime, narcotrafficking, and human rights abuses,” maintained Crowell Moring, another law firm, in a blog post.
More specifically, OFAC forbids payments to or transactions with specific persons or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) – that is, unless you’ve secured a license from OFAC. Also outlawed under the same terms are payments to or transactions with certain embargoed countries and regions like Cuba, Crimea, Iran, North Korea, and Syria.
‘Ignorance of the law is no excuse’
In case you think anyone can leverage “ignorance of the law” as a defense, guess again. According to the advisory itself, OFAC “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited.”
OFAC wants people to report violations
Also in the document, OFAC pinpoints factors it looks at when determining an “appropriate enforcement response” to a violation, including whether or not a company has a sanctions compliance program in place.
OFAC urges banks and other organizations aware of ransomware attacks to make “self-initiated, timely, and complete” reports and to cooperate fully with law enforcement since these actions will also be regarded as “mitigating factors.”
Will OFAC’s advisory actually thwart ransomware?
Some experts believe that warning businesses of OFAC’s penalties will backfire by presenting businesses with a double whammy, essentially blaming the victims. “This advisory will propagate ransomware rather than reduce it,” according to Melody J. Kaufmann, cybersecurity specialist for Saviynt.
SMBs, especially, will be deterred by the risk of fines from coming forward and sharing useful information about any ransomware exploits they’ve experienced. “The Treasury Department will only learn of a ransomware attack on a small or medium business via a disgruntled employee or a media outlet reporting it,” Kaufman predicted when speaking with Security Magazine.
When will ransomware fines become reality?
It doesn’t seem that OFAC has actually assessed any penalties around ransomware payments yet, according to the Cozen O’Connor law firm. However, the tone and timing of the advisory suggests “an increased threat level and increased regulatory scrutiny,” the attorneys noted.