The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing an advisory to alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments. This advisory highlights OFAC’s designations of malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program.

It identifies U.S. government resources for reporting ransomware attacks and provides information on the factors OFAC generally considers when determining an appropriate enforcement response to an apparent violation, such as the existence, nature, and adequacy of a sanctions compliance program.

The advisory also encourages financial institutions and other companies that engage with victims of ransomware attacks to report such attacks to and fully cooperate with law enforcement, as these will be considered significant mitigating factors.

Melody J. Kaufmann, cybersecurity specialist for Saviynt, says, "This advisory is a lot like a good-looking partner who is a horrible person. On the surface, it's attractive, but there's an awful lot that's wrong about it. Ransomware persists because it's profitable. Penalizing businesses that pay off attackers sounds like it will make ransomware less lucrative. The converse is true. This advisory will propagate ransomware rather than reduce it for three key reasons. First, it disincentivizes reporting ransomware attacks, robbing law enforcement, security professionals, and analysts of data vital to combat future attacks. Second, it fails to provide an effective data recovery alternative. Third, It favors big corporations while crushing small to medium businesses beneath its heel."

Kaufmann adds, "Small and medium businesses are notorious for having weak security because maintaining an information security team is often cost-prohibitive. Lack of security increases their risk and the likelihood of infection. This advisory discourages them from contacting law enforcement by increasing the chance of a fine. Often paying the ransom is cheaper than the cost of losing their data or recovering from back-ups, which few small businesses even maintain. The treasury department will only learn of a ransomware attack on a small or medium business via a disgruntled employee or a media outlet reporting it. By not engaging law enforcement, these businesses reduce the odds of dealing with a penalty. For companies struggling in an economy devastated by the pandemic, recovering operations after an attack is the difference between survival and permanent closure.  Adding the weight of a penalty simply because they reported the attack could push them out of business. This advisory makes contacting law enforcement more of a threat than the attack itself."

"Larger businesses, on the other hand, know the eyes of the world are watching; thus, involving law enforcement isn't out of the norm. A ransomware attack on these operations will hit the news cycle, so a cover-up isn't feasible. Enterprises with enough resources to maintain a security team generally have both an off-site back-up as well as a recovery plan recoverable. Neither Penalties nor the expense of "full and timely cooperation with law enforcement" are likely to force them out of business should they elect to pay the ransom," says Kaufman. "On close inspection, this treasury advisory is a performance theater on their part with the potential for harmful unintended consequences rather than a realistic attempt to staunch the flood of ransomware attacks. At best, it creates excessive burdens on all companies to demonstrate compliance with law enforcement.  On the other hand, it leans heavily toward victim-blaming encouraging small and medium businesses to remain silent about attacks they might otherwise have reported."