No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

An Intersection Between Ransomware and U.S. National Security: OFAC Speaks

3 Key Risks Associated with Facilitating Ransomware Payments

by Scott Lashway, Matthew M.K. Stein, Andrew Zimmitti and Richard Hartunian
October 8, 2020
in Cybersecurity, Featured
hacker offering key to unlock encrypted data for money

Following a recent advisory from the Office of Foreign Assets Control, attorneys from Manatt, Phelps & Phillips consider the difficulty of paying ransomware attackers’ ransoms without violating U.S. sanctions law.

Picture this: At some point in the next six months, you lose access to your files. Even worse, your company loses access to its files. And you are told that if you want access to them again, you will have to pay a sizable amount. In short, you are the victim of a ransomware attack, which encrypts files or systems that cannot be de-encrypted without your payment of the ransom. Do you pay the ransom? The U.S. Treasury Department weighed in on potential implications.

This picture is not far-fetched. According to an October 2019 report, every 14 seconds, a ransomware attack is successful and a company becomes a victim. It’s big business too: The report estimated the cost of ransomware in 2019 to be $11.5 billion, rising to $20 billion in 2021, approximately the 2019 GDP of Bosnia and Herzegovina. Another report estimates this year the cost could be as high as $170 billion — almost the GDP of Kansas.

As ransomware becomes ubiquitous and a constant risk — attackers can now acquire ransomware as a service — attackers are evolving into ever-more-sophisticated actors. Ransomware today comes with a professional look, with customer service and real-time chat support to help decrypt files after the ransom is paid. The professional look makes ransomware transactions resemble more paying a legitimate company for a license key than the criminal shakedowns and cybercrimes they are. Insurance companies are reported to pay ransoms on behalf of their insureds these days. A quick payment can be cheaper, faster and less disruptive than paying for forensic work to restore or recreate the impacted data. It’s safer too: If the ransomware is not completely eradicated before work to restore or recreate the data begins, restoring backups or recreating the data from backups can spread the ransomware further, into backups or new systems within a segmented corporate network.

Through all of this, something important is lost: Ransomware attackers, no matter the professional façade, are criminals. They can be subject to U.S. sanctions, and they can be sponsored by foreign regimes that are subject to U.S. sanctions — such as North Korea and Iran — or both. By demanding payment in hard currencies or even Bitcoin, these attackers can gain access to dollars or other hard currencies that they and their sponsor regimes cannot access otherwise.

While paying ransoms was once unheard of, companies of all sizes and maturities now frequently contemplate this option as a cheaper alternative to restoring data and to losing operational capabilities for any period of time. And paying ransoms has become an entire subindustry in the cybersecurity market — a vendor to facilitate payment to a criminal. The focus of this article is not whether that is right or wrong, but rather to identify the potential Office of Foreign Assets Control (OFAC) implications of making or facilitating that payment.

The U.S. Treasury Department on October 1 issued a reminder about the difficulty of paying those ransoms without violating U.S. sanctions law, a five-page “advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory reminds victims, insurers and their financial institutions of the risks associated with paying those ransoms:

1. Paying Ransomware Attackers Can Harm U.S. National Security Interests

Payments made to attackers sponsored by foreign regimes can fund those regimes’ activities, which can damage U.S. national security interests by funding future cyberattacks, economic espionage or other forms of nontraditional warfare.

Even a payment made to an attacker who is not sponsored by a foreign regime can damage U.S. national security. One attacker paid here or one attacker paid there may not have much impact, but as the old joke goes, soon you have real money: tens to hundreds of billions of dollars each year. That amount is high enough to encourage a vicious circle and create additional attacks — especially for those companies known to have paid ransoms in the past. Ransomware attackers are unlikely to agree, after all, to a nondisclosure agreement. Even if they were, these are criminals. They cannot be trusted to abide by one, and if they do not, the (now repeat) victim can’t find them and take them to court.

As attacks continue, the more likely it is that they will impact critical infrastructure, and the more likely it is that they will encourage state actors to sponsor or launch attacks. During the pandemic, some ransomware attackers have forsworn attacks on critical installations, such as hospitals. Others have not.

2. Making Payments to Attackers Can Violate U.S. Law

Generally speaking, absent a general or specific license from OFAC, U.S. persons and companies cannot enter into transactions with sanctioned persons, regimes or their representatives or have a non-U.S. actor indirectly do it for them. These prohibitions extend not only to U.S. companies, but also to any non-U.S. subsidiary or affiliate owned or controlled by a U.S. company. Because state-sponsored attackers rarely identify themselves as associated with a given state and are unlikely to provide positive identification to be run against a sanctions list — no W-9 form or trustworthy government-issued photo identification will be provided — a company paying an attacker cannot know with certainty whether paying a particular ransom is illegal.

3. Sanctions Compliance Programs Are a Must

Cyber insurance providers, forensics firms and financial institutions are obligated to have appropriate risk-based sanctions compliance programs to avoid engaging in transactions with persons or entities subject to U.S. sanctions or even facilitating those transactions. This group likely includes cryptocurrency exchanges in the United States and abroad that facilitate Bitcoin and other transactions. In May 2019, OFAC published a Framework for OFAC Compliance Commitments to assist U.S. companies in developing an effective sanctions compliance program. While the Framework does not specify what provisions in the compliance program are necessary or sufficient in this context, ransomware payments should be factored into the program’s risk assessment. OFAC also advises that for purposes of enforcement in the event of a sanctions violation, it will take into account as a significant mitigating factor a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement, as well as its cooperation with law enforcement both during and after a ransomware attack. Another significant mitigating factor that could cut in half any potential civil monetary penalty resulting from an apparent violation is voluntarily self-reporting sanctions-related violations to OFAC.

At root, this advisory serves as a reminder that if a business is the victim of ransomware, no matter how corporate or professional the attacker seems, the decision to pay the attacker for the decryption key cannot be made without additional analysis as to the attack and compliance with U.S. economic sanctions. Otherwise, the business could be funding unsavory regimes, undermining U.S. national security or even breaking U.S. law. Careful analysis of the situation and engagement with U.S. law enforcement and potentially OFAC or other offices within the Treasury Department, are necessary first.


This piece was originally shared by Manatt as a client alert and is republished here with permission.


Tags: CybercrimeRansomwareSanctions
Previous Post

Internal Investigations: Managing Mobile Device Data in the Age of COVID

Next Post

EO “Deferring” Taxes – What Employers Need to Know to Maintain Compliance

Scott Lashway, Matthew M.K. Stein, Andrew Zimmitti and Richard Hartunian

Scott Lashway, Matthew M.K. Stein, Andrew Zimmitti and Richard Hartunian

Scott Lashway is a disputes partner based in the Boston office of Manatt, Phelps & Philips, which he manages for the firm. His practice focuses on matters involving the intersection of law and technology, and he is co-leader of Manatt’s privacy and data security group.
Matthew Stein is a special counsel in the firm’s privacy and data security practice. Trained as a litigator, Matt has been helping clients and companies for nearly 15 years find solutions and seize opportunities in a risk-sensitive manner. Matt’s clients have included companies in the financial services, insurance, e-commerce, technology, health care and retail sectors.
Andrew Zimmitti is a litigation partner in the firm’s Washington office. Andrew has represented financial institutions, institution-affiliated parties, money services businesses, tribal-owned lenders and foreign investors in civil litigation and administrative enforcement actions involving U.S. sanctions compliance and enforcement.
Richard S. Hartunian is a partner in the firm’s Investigations, Compliance and White Collar Defense practice in New York, where he defends clients against allegations of white-collar crime, health care fraud, BSA/AML violations and environmental and defense procurement fraud, and advises on cross-border security and trade issues.

Related Posts

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

lloyds of london

Now That Lloyd’s Won’t Cover Nation-State Cyber Attacks, What Do Organizations Need to Know?

by Jonathan Armstrong and André Bywater
August 31, 2022

Lloyd’s of London, the world’s leading insurance market, says that cyber insurance policies it issues after March 31, 2023 will...

mining for gold in russia

U.S. Widens Sanctions, Targets Russian Gold Production

by Michael Volkov
July 13, 2022

Russia cranked up its gold production to offset previous international sanctions; now, the U.S. and a group of international allies...

russia ukraine impact

Casualties of War: Global Conflict’s Threat to Business Is a Call to Arms for Cross-Functional Teams

by Chuck Randolph
June 22, 2022

The full extent of the war’s impact on assets and business continuity is unknown, but the time to manage elevated...

Next Post
deferred tax stamp

EO “Deferring” Taxes – What Employers Need to Know to Maintain Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT