Victims of ransomware attacks could potentially receive civil penalties for making ransom payments to a growing list of threat actors.
On October 1, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) revealed that it could choose to impose civil penalties on ransomware victims who make ransom payments to malicious actors whom it has designated under its cyber-related sanctions program.
Those actors include Evgeniy Mikhailovich Bogachev, the creator of Cryptolocker; two Iranians who helped provide material support to the SamSam crypto-malware operation; the Lazarus Group along with two sub-groups, Bluenoroff and Andariel, for having developed WannaCry 2.0; as well as Evil Corp and its leader, Maksim Yakubets, for having created the Dridex malware family.
In an advisory, OFAC explained that it added these ransomware actors to its sanctions list with the understanding that ransomware payments to these individuals could threat U.S. national security:
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.
Subsequently, the Office for the U.S. Treasury Department said that those who submit ransomware payments to these and other actors could violate its sanctions as well as come into conflict with both the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA).
OFAC specifically said that it could respond by imposing civil penalties based on strict liability—that is, even if the person submitting payment didn’t know that the actor was listed on a sanctions program.
However, the U.S. Treasury Department clarified that an organization’s decision to notify and/or cooperate with law enforcement following a ransomware attack could serve as mitigating factors in instances involving a sanctions nexus.
OFAC said it will continue to add more actors who “materially assist, sponsor, or provide financial, material, or technological support for these activities” to its sanctions program going forward.