US advisory meant to clarify ransomware payments only spotlights widespread uncertainty

Written by

If a Treasury Department advisory threatening financial penalties against anyone paying ransomware hackers was intended to send a clear message, it may have done the exact opposite.

The Oct. 1 advisory from the Office of Foreign Assets Control warned that paying or helping to pay ransoms to anyone on its cyber sanctions list could incur civil penalties.

Across some of the industries mentioned in the advisory — like cybersecurity incident response firms and insurance providers — reactions have ranged from confusion to silence, from yawns to raised eyebrows, from praise to fear of a blizzard of potentially unintended consequences.

The worst case scenarios involve ransomware victims in the health sector having to make a life-or-death decision on whether to pay to unlock their systems while at risk of incurring Treasury’s wrath, or situations where victims try even harder to keep attacks quiet to avoid OFAC fines, which sometimes total millions of dollars.

The advisory came less than two months after reports surfaced that a U.S. company paid $10 million in ransom to Evil Corp, a prolific Russian cybercrime gang that the Treasury Department sanctioned in 2019 for allegedly stealing more than $100 million. Americans generally are prohibited from conducting business with sanctioned entities, while individuals who knowingly facilitate transactions with sanctioned entities may also be penalized.

“The U.S. Treasury announcement has caused the industry to pause and reevaluate how they respond to extortion demands,” Charles Carmakal, senior vice president and chief technology of cyber company FireEye Mandiant, said via email. “This will add further complexity to an already intense situation for organizations responding to highly disruptive ransomware and extortion security incidents.”

(The Treasury Department declined an interview request, nor would it answer written questions about the memo.)

Those less concerned about the advisory pointed out that it’s not a new policy or regulation, but a reminder of the existing risks of paying sanctioned hackers. Still, that Treasury chose to issue the advisory at all, its timing and what secondary impacts it could have led to “a lot of us having dialogue about what this means,” said IBM X-Force IRIS’s global lead Wendi Whitmore, who works in incident response.

Why now?

In its advisory, OFAC pointed to a significant uptick in ransomware attacks during the COVID-19 pandemic. In September alone, FireEye saw double the number of attacks it observed in September of last year — afflicting more than 100 organizations.

Beazley Breach Response Services, a division of the eponymous London-based insurance firm, said in March that ransomware attacks on their clients increased by more than 100% last year.

But others saw different calendar motives behind the OFAC move. Brett Callow, threat analyst at Emsisoft, noted that two months ago, a U.S. company reportedly paid a significant ransom to Evil Corp, one of the few sanctioned organizations OFAC mentioned in its advisory.

That company may have been consumer electronics maker Garmin. Following a July ransomware attack, Garmin paid $10 million to unlock its systems via Arete IR, an incident response firm, according to Sky News. At the time, multiple media outlets reported that Garmin had been infected with WastedLocker, a ransomware strain linked to Evil Corp.

Garmin declined to comment for this story beyond a previous statement on its service outage. Arete IR didn’t respond to requests for comment.

The nudge toward law enforcement

Some security practitioners suggested that one of the chief aims of the OFAC advisory was to push ransomware victims toward working with law enforcement.

Al Saikali, who chairs the privacy and data security practice at Shook, Hardy & Bacon, said that at least half the time, his law firm’s clients don’t inform police that they’re victims of a ransomware attack.

They don’t see the upside, he said. Saikali considers it a mistake to believe that law enforcement personnel will slow an incident response, though the FBI generally discourages paying ransoms, which could put victims in the awkward position of disobeying law enforcement agents if they decide it’s better to pay.

Other ransomware victims have complained that police are more interested in gathering intelligence about a ransomware hacker than ending a breach.

What OFAC might be communicating is that “if you do pay a ransom to someone on that list but you reported it to law enforcement, they might look the other way,” Saikali said.

The FBI’s Internet Crime Complaint Center identified more than 2,000 ransomware complaints last year, a figure that is largely dependent on incidents reported to the bureau. U.S. officials previously have tried to increase their understanding by asking insurers to volunteer anonymized information about ransomware attacks.

IBM’s Whitmore said that if the advisory fosters closer relationships between ransomware victims and law enforcement, that’s a good thing. But British computer security researcher Marcus Hutchins said the OFAC warning might push victims toward further concealing attacks.

Insurers assess the changes

Typically, cyber insurers already check against OFAC sanctions lists before considering a ransom payment. The incident response firm Coveware, which sometimes brokers ransomware payment negotiations, also said it checks sanctions lists while weighing whether to pay a digital extortion fee.

Individually, both the Marsh insurance company and the national BakerHostetler law firm advised clients they foresaw no major changes to their practice as a result of the OFAC advisory.

More broadly, some industries mentioned in the advisory, such as the financial services sector, were quiet; the Bank Policy Institute declined to comment. Others were still examining it; the American Property Casualty Insurance Association said it was still assessing its implications.

“Cyber insurance provides many meaningful protections, one of which may include the payment of ransom,” said Angela Gleason, the association’s senior director for cyber and counsel. “The policyholder’s ransomware decisions are not entered into lightly and involve law enforcement, legal counsel, and security experts with significant experience and knowledge of the malicious actors and software. OFAC’s guidance on regulatory sanctions is a key consideration to assist insurers’ development and refinement of their compliance programs.”

Some don’t have an option

Small businesses may simply have no choice but to pay.

“The Treasury announcement is very focused on the big businesses, but isn’t really paying attention to what the small businesses need or what they have access to,” said Kiersten Todt, managing director of the Cyber Readiness Institute.

Small businesses’ first instincts aren’t to look at sanctions lists, but rather “how to stay alive.” Because of that, she advised, “You can’t just penalize people on the outcome without educating them or being able to support them in doing what’s right to prepare for ransomware.”

The OFAC memo especially raises questions so shortly after German authorities said a ransomware attack forced a hospital to move a patient, who subsequently died as a result.

“When you get to the point where there is a threat to human life, is there an exception?” asked Adam Meyers, vice president of intelligence at CrowdStrike. “Do they accept the risk and decide to pay the OFAC fine? It raises quite a few questions for everybody.”

OFAC said it would consider licenses to allow victims to pay, but Saikali noted that the Treasury Department hasn’t issued any guidance on who might qualify. And by the time such licenses are processed and issued, the ransomware attackers probably will have done their damage and departed.

Meanwhile, the standard for tying an attack to a sanctioned hacking group is yet another variable, which researchers say highlights the difficulty of using threats to punish ransomware payments.

As FireEye’s Charles Carmakal put it, “The true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions.”