The Treasury Department’s Recent Advisory Puts Ransomware Victims in a Bind

The Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory last week that addresses the “sanctions risks associated with ransomware payments.” (OFAC administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers) However, this advisory functions like a flat tire for a car with a broken engine. That is to say that OFAC’s recent advisory could cause a headache for persons that are likely in the midst of a hostage situation.

By threatening ransomware victims with further sanctions for not cooperating or not disclosing as much information as possible, OFAC aims to learn more about these ransomware attacks and how to prevent them.

The advisory makes clear that entities which facilitate ransomware payments are at risk of civil liability for engaging with persons on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). This threat of more fines is the last announcement that victims of cyberattacks want to hear. Understandably, no one wants to pay ransomware hackers, and almost always do so out of a need to access the trapped data. But by threatening sanctions for cooperating with ransomware hackers, the OFAC risks putting an even bigger burden on entities that are already hurting due to their reluctant involvement with these criminals.

It is important to understand the background of ransomware attacks and their increased prevalence, as well as an understanding of what sorts of entities are at risk. With that foundation established, the Department of Treasury’s recent advisory can be interpreted with more context.

Background of ransomware

Ransomware attacks take place by simple methods. Often, someone associated with an organization gets hacked, whether it is by a phishing attempt or some other method. Hackers then infiltrate that employee’s computer system and encrypt valuable data. This data becomes “inaccessible without a complex key that is provided only to those who pay the ransom.”

The frequency of these ransomware attacks is growing rapidly. Specialty insurer Beazley Group reported in June that there was a “25% rise in ransomware attacks reported to its breach response team in the first three months of this year compared with the final quarter of last year.” Since the pandemic hit, experts have seen a “dramatic increase” in data security incidents.

Ransomware attacks affect a wide range of entities. Whether it is universities like U.C. San Francisco which paid $1.14M in a recent attack, or a health agency system in Illinois, ransomware hackers do not discriminate when it comes to targets. For instance, attacks in the manufacturing sector are up 156% quarter on quarter. Additionally, ransomware hackers have been known to attack cities and municipalities: in 2019, more than forty attacks on city agencies took place.

As is evident by the sums paid, ransomware hackers seek out valuable data and are unafraid to use their bargaining power. For these local departments that fall prey to hackers, a failure to pay the ransom demands can result in a severe slowdown of communication, and a return to handwriting. Ransomware attacks on hospitals are “threat-to-life crimes because they directly threaten a hospital’s ability to provide patient care, which puts patient safety at risk.”

OFAC’s Advisory

Directed towards targets of ransomware attacks, OFAC’s advisory announced that the Treasury Department should be utilized as a resource when these attacks take place. The announcement was issued as “demand for ransomware payments has increased during the COVID-19 pandemic.” Sadly, hackers have begun to take advantage of the online systems that Americans rely on to work remotely. In the advisory, OFAC  invokes the authority of The International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) in a reminder to these entities that U.S. persons are “prohibited from engaging in transactions, directly or indirectly, with individuals or entities” on OFAC’s SDN list.

OFAC may impose civil penalties for sanctions violations on a theory of strict liability. This means that a U.S. person subject to United States jurisdiction could be held liable even if they did not know or have reason to know that they were engaging in a transaction with a person or entity that is prohibited by sanctions or laws or OFAC’s regulations. However, the advisory goes on to explain that a ransomware victim’s self-initiated, timely, and complete report of a ransomware attack to law enforcement will be a significant mitigating factor in determining an appropriate enforcement outcome.” Moreover, OFAC will also consider full cooperation with law enforcement both during and after a ransomware attack to be a “significant mitigating factor” when determining possible enforcement outcomes.

It is clear that the U.S. Department of Treasury and OFAC are in an information gathering stage. By threatening ransomware victims with further sanctions for not cooperating or not disclosing as much information as possible, OFAC aims to learn more about these ransomware attacks and how to prevent them. The advisory was likely aimed at businesses who don’t report ransomware attacks out of fear that the cover-up will cost more than the crime. The number of unreported ransomware attacks is tough to know, but the reported ones can take years to recover from and cost anywhere from thousands of dollars to billions.

Next Steps

While It might seem counterintuitive to threaten the persons getting robbed with more fines, it looks like OFAC is trying to make its services known and encourage cooperation with law enforcement agencies. In the meantime, the emphasis should be on educating vulnerable internet users of hackers’ techniques to compensate for cybersecurity teams that are stretched thin from the pandemic.

Zach Corenblum, JD Candidate, 2022, UNC School of Law