Cybersecurity and Physical Security

Treasury warns that ransomware payments can violate federal regulations

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) earlier this month issued an advisory warning that entities making ransomware payments could be in violation of OFAC regulations and subject to fines.

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations, OFAC said in the advisory.

Ransomware blocks access to a computer system or data until a payment is made to the cyber attacker.

Ransomware attacks are on the rise, in part because of a shift to virtual business interactions as a result of COVID-19 precautions.

In the second quarter, the number of ransomware attacks remediated more than tripled compared with the previous quarter, according to the IBM Security X-Force Incident Response report.

IBM Security X-Force also noted a shift in ransomware attacks. The attacks hit manufacturing companies hardest, accounting for nearly a quarter of all incidents responded to so far this year. The professional services sector is the second most targeted industry, accounting for 17% of ransomware attacks, with government organizations third with 13% of attacks. IBM said the shift suggests that ransomware actors are looking for victims with a low tolerance for downtime.

In the past several years, OFAC has added numerous malicious cyber actors to its cyber-related sanctions program.

Facilitating a ransomware payment may enable criminals and adversaries to profit and advance their illicit aims, OFAC said in its advisory. The payments could fund activities “adverse to the national security and foreign policy objectives of the United States.”

Ransomware payments could also embolden cyber actors to engage in future attacks, OFAC said, adding that paying a ransom does not guarantee that the victim will regain access to its stolen data.

OFAC said it encourages “financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” adding that its advice also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response.

In the advisory OFAC encouraged victims and those involved with addressing ransomware attacks to contact OFAC or the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection and provided contact information for Treasury offices, as well as the offices of other government agencies, including the FBI.

OFAC’s advisory is not a new policy but emphasizes existing policies. OFAC also said its advisory is “explanatory only and does not have the force of law.”

APPA recommends that public power utilities consult with their local FBI branch office immediately, if impacted by ransomware. Additionally, the Public Power Cyber Incident Response Playbook, released in 2019, provides additional recommendations when responding to any type of cybersecurity incident.