The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned multiple ransomware criminals over the last few years, most notably the Russian cybercrime syndicate aptly named Evil Corp. However, not only Eastern European hackers were sanctioned, various North Korean and Iranian actors are also on the list.

Oct 1st, 2020 OFAC made it clear to U.S. companies that paying millions of dollars of ransoms to those groups will invite hefty fines from the federal government.

To pay or not to pay

That puts any organization that becomes a ransomware victim between a rock and a hard place. If they don't pay the ransom, the downtime will be extremely costly, or the hackers may leak their sensitive customer data. If they do, even through a third-party mediator, they could find themselves in deep trouble stateside because it's impossible on short notice to verify who the cyber criminal really is that is holding your data hostage.

Fines of up to 20 million

In its advisory (PDF), OFAC said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Those that run afoul of OFAC sanctions without a special dispensation or “license” from Treasury can face several legal repercussions, including fines of up to $20 million. OUCH.

Come clean and involve authorities right away

Intrepid cybercrime investigative reported Brian Krebs noted: "Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury’s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and/or third-party security firms.

Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.

“In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he said. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”

Along those lines, OFAC said the degree of a person/company’s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

Preventing a ransomware infection gets more Important than ever

There are only a few ways that the bad guys get in your networks. Your users are the largest attack surface and the easiest to hack. It takes 3 months to hack hardware, 3 weeks to hack software, and 3 minutes to hack a human. You absolutely need a strong human firewall as your last line of defense. See the most powerful platform in the market and get your one-on-one demo.