PL Risk Blog

US Treasury Department Warns Companies Paying Cyber Ransom Could Violate OFAC Rules

Written by Drew Smith | Oct 19, 2020 3:00:00 PM

In an advisory posted October 1st, the US Department of Treasury’s Office of Foreign Asset Control (OFAC) issued a notice that any businesses that pay a ransom may face fines if these ransom requests come from a state that is already under US economic sanctions. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”[1]

This is significant given the current trends in cyber ransom requests and payments. According to Coalition, a new emerging cyber carrier, in a recent webinar, they stated they have seen increases in cyber ransom demands of 47% from the first quarter to the second quarter of 2020 alone. According to Mike Smith, President and CEO of Axis Insurance Services, LLC, “Out of 3,000 customers and in our small subset of the industry we have almost a dozen cyber ransoms in excess of $1M with demands as high as $10M. The amount of the demands have increased from a low of $500 three years ago to, at a minimum, several hundred thousands on every demand. What is worse, that they have evolved to not only encrypt your data but threaten to expose it on the internet if not paid.” This means that even if companies have great backup systems and can restore their data, they are really being forced to pay the ransom to avoid public disclosure of their data which can have further financial consequences.

Many of the known hackers including the makers of the Cryptolocker virus have ties to organizations based out of countries like North Korea, Iran and Russia. OFAC’s warning to discourage companies from paying ransoms follows the FBI’s similar advice, even though it seems like an easier way to get back to relative normalcy. OFAC is willing to go a step further in potentially imposing fines of up to $20 million if they do not have a special exemption from them and even include jail time. Ginger Faulk, a partner of the law firm Eversheds Sutherland has said that the penalties for sanctions violations based on “strict liability”, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. [2]

With hackers appearing every day, countries are taking every possible precaution to try and protect their data. OFAC’s warning is designed to as a way to cut off the ransoms to malicious actors by getting companies to think twice on paying their ransoms.

[1] https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/

[2] https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf?mkt_tok=eyJpIjoiWldObU56WTVOR1JrTXpneiIsInQiOiJGK3c1bUVoOVRZWnJMZmMxeEhDMUgyZDNrbmdGc1FEWjlnTWpkcmh1QmN5NW04bG5rUzM2VXEzR1NsWTdKSVRZMllhcmo2TjU5RGtnWWsxelwvVEpWUHJhNkU1bkFHTFwvajRQcWZ4Zzl3XC9NekxxMURLWU5nNkhRaXZDY1JMb2kzdiJ9