The US Treasury department has warned that facilitating payments to cybercriminals to remove ransomware from IT systems risks breaching sanctions regulations.
In an advisory note published today, the treasury’s Office of Foreign Assets Control (OFAC) said demand for ransomware payments has increased during the Covid-19 pandemic.
Ransomware is designed to block access to a computer system or data to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.
OFAC warned that if a cyber-criminal is already subject to sanctions, paying them, or facilitating a payment to them on behalf of a victim, could constitute a breach of regulations. This could lead to legal repercussions including fines of up to $20million.
OFAC has designated numerous cyber-criminals under its sanctions programme who perpetrate ransomware attacks. It gives the example of the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.
In some cases, in addition to the attack, cyber actors have threatened to publicly disclose victims’ sensitive files. Ransomware cases increased 37% from 2018 to 2019 according to the Federal Bureau of Investigation.
OFAC said that making ransomware payments also encourages cyber-criminals to carry out further attacks. “In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data,” it said. OFAC is instead urging victims of ransomware to contact government agencies immediately.
In response to the note, David Carlisle, head of policy and regulatory affairs at Elliptic, posted on the Linked In social media platform: “Cryptoasset exchanges need to ensure they can monitor for any potential payments from their customers to these ransomware campaigns and should exercise scrutiny to ensure they do not enable prohibited transactions”