Financial companies, insurers and forensic analysis firms paying in a ransomware attack could receive fines and penalties from the US Treasury Department

The past two years have seen a significant increase in the number of successful ransomware attacks, so private companies and organizations around the world are trying to take more and better measures to prevent these incidents.

As some users will remember, the ransomware is a variant of malware used by hacking groups to block access to a computer system or stored data in order to require victims to pay a ransom in exchange for regaining access to compromised information. Otherwise, victims may lose their data permanently.

Usually, the payment of these ransoms should be covered via a cryptocurrency transfer, which gives hackers the ability to cover their traces as these operations are virtually impossible to track. According to cyber security specialists, factors such as coronavirus pandemic, social distancing measures and the use of remote work platforms have contributed to unexpected growth of ransomware during 2020.

As recovery processes can be highly costly, many companies simply decide to give in to the demands of criminals and pay the ransom, although security and law enforcement agencies point out that this is a risky practice. Still, multiple insurers and cybersecurity firms recommend negotiating with threat actors, some even offering insurance policies in case of ransomware infection.

Paying the ransom to hackers is not a crime, although a recently revealed proposal could pose more problems for victims of this malware variant.

A proposal from the Office of Foreign Assets Control (OFAC), in conjunction with the Financial Crime Enforcement Network (FinCEN), points to the need to establish controls on negotiations with threat actors, adding the risk of sanctions for organizations that choose to pay a ransom. These offices, which are part of the U.S. Department of The Treasury, argue that paying a ransom could even be considered a violation of multiple existing laws, as well as encouraging and financing future attacks.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ransomware08102020.jpg

OFAC has developed a list of threat actors and digital cryptocurrency addresses used to receive payment for a ransom, so it has been determined that anyone who assists, sponsors or establishes contact with any of the identified individuals or groups is considered the subject of financial and even criminal sanctions: “Any payment to listed actors, including ransom payments , is a violation of economic sanctions laws, regardless of whether or not the parties involved had reason to know that these actions are punished,” adds OFAC.

As an alternative to paying ransoms, OFAC recommends that ransomware victims immediately report any incidents to the competent authorities, as the Office considers that prompt intervention by law enforcement may be decisive in tracking the groups behind these incidents, preventing future incidents.

FinCEN, for its part, requests organizations to process any payment allegedly related to a ransomware attack that this be notified to the authorities for investigation purposes. FinCEN notes that ransomware attacks are growing in size, scope and sophistication, indicating potential cooperation between multiple groups of threat actors. For obvious reasons, this sophistication demands an equal response from the relevant authorities.

Both offices consider that adopting a proactive posture is the best way to deal with ransomware trading groups without having to negotiate with attackers or pay a ransom. FinCEN also listed some early warning signs that could help victims mitigate the scope of an active infection, as well as some data that may be vital to the investigation of an attack; for this, FinCEN recommends:

  • Look for any signs of computer activity that shows the existence of ransomware on a device, including system log files
  • Identify the cryptocurrency address associated with threat actors

In conclusion, FinCEN reminds financial organizations that they have legal obligations to comply with under the Bank Secrecy Act, so they must notify authorities of any suspicious activity, including ransomware incidents and related payments.    

This notice also provides information on how financial institutions and other types of firms should report and share details related to any ransomware incidents, so companies will need to adhere to these recommendations so as not to face legal retaliation.