US gov’t warns against paying off ransomware attackers

Companies facilitating ransomware payments run the risk of facing stern penalties for violating US regulations

The COVID-19 pandemic has been accompanied by a surge in ransomware attacks targeting the computer systems of organizations in various industries, with an increasing number of victims opting to pay the ransom in an effort to resume operations as soon as possible. Against this backdrop, the US Treasury Department’s Office of Foreign Assets Control (OFAC) has now issued an advisory to warn organizations making or facilitating ransomware payments that they could run afoul of US regulations and face stern penalties.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulation,” reads the advisory, which is intended to “highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities”.

The warning is intended to dissuade organizations from paying ransom fees especially to cybercriminal gangs that have faced sanctions from the US government or are in any way connected to blacklisted entities. The Lazarus Group, which US authorities believe orchestrated the WannaCry aka WannaCryptor attack in 2017, and Evil Corp, which is behind the Dridex malware, are just two examples of such threat actors.

RELATED READING: The cyber insurance question

Typically, ransomware prevents access to a device or to data on it until the victim pays a fee. A number of ransomware gangs have recently expanded their tactics adding a form of doxing wherein they comb through the victims’ systems looking for sensitive data that they will then threaten to release unless an additional fee on top of the ransom is paid.

To highlight the magnitude of the ransomware scourge, OPAC referenced data from the FBI’s latest two Internet Crime Reports, which showed that reported ransomware cases increased by one-third between 2018 and 2019. What’s more, losses emanating from the incidents skyrocketed by almost 150 percent.

By paying the ransom fees, said OFAC, the victims are also effectively encouraging cybercriminals to continue and expand their operations and target other organizations. It’s also worth mentioning that even if a company ultimately decides to pay the ransom there is no guarantee that the black hats behind the attack will restore access to their systems or return any pilfered data.

Indeed, organizations would be better advised to take precautions that help them avoid ransomware attacks in the first place. These should include routine employee training on cybersecurity best practices, investing in business continuity solutions, creating regular backups, disabling internet-facing RDPs entirely as well as investing in a reputable multilayered security solution. For further advice on how organizations can protect themselves against ransomware you can refer to our detailed white paper, Ransomware: An enterprise perspective.

Latest Posts