View the Advisory here.
Relatedly, Treasury’s Financial Crimes Enforcement Network (FinCEN) issued guidance alerting financial institutions to their role in processing ransomware and associated payments, red flags, and reporting information.
Why OFAC’s Ransomware Advisory Matters
Included on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) are a number of “malicious cyber actors” designated pursuant to OFAC’s Cyber-Related or North Korea sanctions. Under these programs, making an SDN-related ransom payment, directly or indirectly facilitating such a payment, or even making related insurance or reinsurance claims payments is likely a prohibited dealing in property (including services) in which the SDN has an interest if conducted by a US person or otherwise subject to US jurisdiction. Civil penalties per violation can be up to $307,922 or twice the value of the payment at issue (whichever is higher); and criminal penalties for knowing violations can be up to $1,000,000 and 20 years in prison.
Accordingly, US individuals and entities wherever located – including ransomware victims, financial institutions, incident response companies, and insurers that process ransomware-related payments – should avoid engaging in transactions involving SDNs in the ransomware context. Transactions could include directly or indirectly receiving customer funds, exchanging them for convertible virtual currency, transferring them to the attacker’s accounts, or making the ransom victim whole through an insurance payment related to a ransom payment. Additionally, any foreign individual or entity that sends a ransomware-related payment involving an SDN through the United States can also be subject to civil and criminal penalties.
OFAC Names Specific Ransomware and Malware, But Does Not Clearly Make Them Off-Limits
In its Advisory, OFAC identifies the following relevant ransomware and malware and their SDN connections:
- Cryptolocker ransomware, developed by Cyber SDN Evgeniy Mikhailovich Bogachev
- SamSam ransomware, linked to Cyber SDNs Ali Khorashadizadeh and Mohammad Ghorbaniyan and two digital currency addresses
- WannaCry 2.0 ransomware, linked to North Korea SDNs Lazarus Group, Bluenoroff, and Andariel
- Dridex malware developed and distributed by Cyber SDNs Evil Corp, and its leader, Maksim Yakubets
Although OFAC provides this list of ransomware-related SDNs, the Advisory raises more questions than it answers with respect to the specific ransomware and malware it identifies. Left unanswered is whether all cyber ransom attacks using the various ransomware and malware identified are to be assumed to involve the associated SDN, especially when there is evidence that other entities are able to use the same ransomware and malware. The Advisory itself, in noting that the Dridex malware was not just developed but was distributed by the SDN Evil Corp, makes clear that not all ransomware attacks using these malware are attacks in which the SDN has an interest.
OFAC Knows How To Make Legal Links to SDNs, But It Has Not Done So Here
A tried and true way to legally link ransomware like WannaCry 2.0 to an SDN like Lazarus Group is for OFAC to amend the SDN List to add the new name to the SDN’s identifying information. Lazarus Group, for example already has 11 listed “weak aliases,” including the somewhat colorful “Guardians of Peace” and “The New Romantic Cyber Army Team,” against which millions of transactions every day worldwide are screened by countless financial institutions and other businesses. OFAC could add “WannaCry 2.0” to that list to make it clear that any transactions using WannaCry 2.0 should be assumed to include an interest of Lazarus Group.
Although the SDN List includes the SDNs named above, OFAC has not seen fit to add any of the listed ransomware or malware that it has associated with these parties to the SDN List, even as weak aliases for the relevant SDNs. The one possible exception is that “Dridex Gang” is listed as an alias for SDN Evil Corp, but the word “Gang” in Dridex Gang suggests that is a separate entity and not the malware. Thus, the presence of the related ransomware or malware – whether Cryptolocker, SamSam, WannaCry 2.0, or Dridex – does not mean an SDN necessarily has any interest in the related transactions.
So What Is a Poor Cyber-Ransomed Company (or its Incident Response Providers or Insurers) to Do?
Often the only thing a ransomware target or it's incident response providers or insurers will know about its attacker are the ransomware and/or malware used, an untraceable email address for communicating with the attacker, and a digital currency address to which the ransom is to be paid. All of this information of course should always be run against the SDN List. From time to time OFAC does provide identifying email addresses and digital currency addresses on the SDN List, and perhaps it will add specific ransomware and malware in the future. A positive hit should stop payment of any ransom before an interest of the relevant SDN can clearly be ruled out.
But if there are no SDN List hits, and if the only link to a possible sanctions nexus is the use of one of the four ransomwares or malwares listed in OFAC’s Advisory, there is little guidance in the Advisory regarding how to proceed. The Advisory does, however, provide guidance on how to be sure that the possibility and severity of a subsequent OFAC enforcement action, were one to be considered by OFAC, would be significantly mitigated.
OFAC will consider a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” to be a significant mitigating factor if an OFAC enforcement investigation is initiated and an SDN interest is subsequently determined to have been present. OFAC also will consider a company’s “full and timely cooperation with law enforcement both during and after a ransomware attack” as a significant mitigating factor. OFAC’s instruction is loud and clear: reach out to law enforcement immediately (preferably before providing payment), continue to cooperate with law enforcement, and consider sending a follow-up report of the ransomware attack to law enforcement.
Who You Gonna Call?
With respect to contacting, cooperating with, and follow-up reporting to law enforcement, the Advisory provides a whopping seven points of contact. It would be wonderful if the suggested outreach to the listed US Government offices would result in a swift, coordinated, and helpful response assisting a ransomware victim in determining whether it is dealing with a sanctioned entity. Unfortunately, these qualities are not always the hallmarks of government offices laboring under bureaucratic and resource limitations. Asking a victim of ransomware – while its servers are frozen, its communication system is hobbled, and its customers are demanding answers – to consider seeking guidance from up to seven different government offices seems a bit much.
It is not OFAC’s fault, of course, that there is an overabundance of enforcement offices jumping at the chance to help ransomware victims. But both the government and the ransomware victims probably would be better served if there was one point office that could coordinate for the government and advise the victim with one voice.
For the record, though, here are all seven contacts the Advisory suggests:
- US Department of the Treasury’s Office of Foreign Assets Control
- US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP)
- Financial Crimes Enforcement Network (FinCEN)
- Federal Bureau of Investigation Cyber Task Force
- US Secret Service Cyber Fraud Task Force
- Cybersecurity and Infrastructure Security Agency
- Homeland Security Investigations Field Office
OFAC’s Advisory generally condemns ransomware payments, warning that such payments will “embolden” actors to engage in future cyberattacks, but the Advisory stops short of stating that OFAC considers all ransom payments associated with the ransomware and malware it identifies – Cryptolocker, SamSam, WannaCry 2.0, or Dridex – to be prohibited payments in which an SDN has an interest. The Advisory unfortunately does not offer guidance on how to connect the dots between a particular ransomware attack and whether a sanctioned party is behind the attack. However, it does make clear that early and cooperative contact with law enforcement, most preferably before a ransom is paid, is essential to lowering a company’s risk, and companies that may be comfortable subsequently filing a report on the ransomware attack with an enforcement office should give that option serious consideration.