The Office of Foreign Assets Control (OFAC) has warned that paying out to recover from ransomware attacks can be a breach of its rules.
- In an advisory issued Friday, OFAC – a wing of the U.S. Department of the Treasury – said there's a sanctions risk with complying with such demands, which have increased since the start of the coronavirus pandemic.
- The Office specifically pointed to companies that facilitate negotiations with cyber attackers regarding ransomware payouts.
- Firms including financial institutions, insurance firms and others working in digital forensics, "not only encourage future ransomware payments demands but also may risk violating OFAC regulations," it said.
- Ransomware is malicious software that propagates across computer networks and will lock up systems using encryption.
- In order to receive a key to unlock their files and infrastructure, victims normally need to pay out a ransom in cryptocurrency.
- OFAC cites data from the Federal Bureau of Investigation indicating ransomware demands rose by 37% in from 2018 to 2019, while the level of losses to such attacks rose 147% over the same period.
- With OFAC responsible for issuing economic and trade sanctions against foreign nations or entities considered to infringe the U.S.'s foreign and security policies, it said that paying ransoms to those on its Specially Designated Nationals And Blocked Persons List could result in fines.
- Civil penalties can be applied even if the payer did not know the recipient was on the list, the Office warned.
- Such a situation may be mitigated if the entity facing a ransom demand submits a "timely and complete" report on the attack to law enforcement. Victims should also reach out to OFAC, according to the advisory.
- The warning came the same day the U.S. Financial Crimes Enforcement Network (FinCEN) issued its own advisory on ransomware, stressing that governmental entities and financial, educational and health care institutions have been seeing more of these attacks.