The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently published an advisory on potential ransomware payment sanctions risks when facilitating ransomware recovery efforts.
U.S. Treasury announces ransomware payment sanctions
The recent advisory is the first guidance that has been addressed to ransomware facilitators regarding potential civil penalties for ransomware payments made in violation of sanctions. There are already various sanctions in place against foreign cyber criminal gangs, such as Russian-based Evil corp, however this is the first time ransomware is mentioned in context with official sanctions.
The advisory states, “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC”.
Is paying ransom legal?
The FBI does not encourage paying ransom as a first resort, however, they do acknowledge paying the ransom may be a last resort option. Under U.S. law, paying ransomware is legal unless payment is made to a OFAC sanctioned entity. These sanctions prohibit ransomware payment transfers with sanctioned entities in an effort to protect national security and reduce the proliferation of cyber crime.
This advisory emphasizes the need for anyone involved in facilitating ransomware payments to stay up-to-date with sanctions compliance standards and implement a sanctions compliance program when considering making a ransomware payment to recover data.
At Proven Data, our sanctions compliance program ensures we are performing due diligence prior to making any ransom payments associated with data restoration efforts.
If we determine the ransomware encryption cannot be broken after all other options for ransomware recovery have been exhausted, the only remaining solution is to explore paying the ransom.
Per our compliance program, before making any ransom payments, there is a screening process which takes into account the following:
- Ransomware variant name – to ensure no current sanctioned entities are associated with the variant
- IP address of the attacker – to ensure the attacker is not from a sanctioned country
- Bitcoin wallet of the attacker – to utilize tracing software and ensure the bitcoin wallet isn’t linked to any of the bitcoin wallets on the SDN list
Ensuring that no payments are made to any entity on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list is a critical step to recovering from a ransomware incident and remaining in compliance with the law.
Our long-standing process to verify OFAC compliance before interacting with an attacker protects ransomware victims from unknowingly funding identified nefarious actors who are designated as a threat to national security.
This recent announcement underscores the need to report all ransomware attacks to authorities in a full and timely manner. According to the OFAC document, full reporting and cooperation with law enforcement will be considered a mitigating factor when determining the extent to which fines will be enforced.
At Proven Data, we provide resources and guidance to all clients on how to report a ransomware attack to the proper authorities. We recommend that every ransomware attack is reported to law enforcement.
This sanctions notice should make businesses even more concerned about ransomware and encourage them to implement proactive cyber security to keep their data safe against malicious cyber attacks.
Ransomware payment options
If an organization experiences a ransomware attack perpetrated by a sanction entity, there are minimal options available to recover from ransomware and regain access. For victims of ransomware, one of the benefits of working with a ransomware recovery company with a compliance program is you can reduce your risk of dealing with a sanctioned entity.
The advisory states that ransomware victims are allowed to apply for a special license as a last resort to recover from an attack perpetrated by an entity on the SDN list. The license will be “reviewed by OFAC on a case-by-case basis with a presumption of denial” providing no guarantee that the license will be approved.
If the government or a ransomware recovery company can’t find a work around to the encryption or defeat the malware without paying, the data will likely be unrecoverable forever. However, working with a professional ransomware recovery service can provide the peace of mind that all known recovery options have been explored and the legality has been verified to avoid the risk of being penalized for unintentional sanction violation.
At Proven Data, our team has helped thousands of ransomware victims with our ransomware recovery services. We are committed to assisting clients through the ransomware recovery process.
We are also passionate about raising awareness on how to safeguard data and devices to prevent ransomware attacks from occurring (we even produced a documentary about it with Fmr. FBI Special Agent Patrick Gray of the Computer Crimes Squad). It is never too late to secure your network even after a ransomware attack and we encourage everyone to get cyber secure today.
Need help navigating the ransomware recovery and OFAC compliance process?
DISCLAIMER: The information provided on our site does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general educational and research purposes only. Readers should contact their attorney for any legal questions if they were a victim of ransomware or a cyber attack.