{"id":8129,"date":"2020-10-19T04:07:43","date_gmt":"2020-10-19T04:07:43","guid":{"rendered":"http:\/\/ncjolt.org\/?p=8129"},"modified":"2020-11-07T04:27:04","modified_gmt":"2020-11-07T04:27:04","slug":"the-treasury-departments-recent-advisory-puts-ransomware-victims-in-a-bind","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/the-treasury-departments-recent-advisory-puts-ransomware-victims-in-a-bind\/","title":{"rendered":"The Treasury Department\u2019s Recent Advisory Puts Ransomware Victims in a Bind"},"content":{"rendered":"\n

The Treasury Department\u2019s Office of Foreign Assets Control (OFAC) issued an advisory last week that addresses<\/a> the \u201csanctions risks associated with ransomware payments.\u201d (OFAC administers and enforces<\/a> economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers) However, this advisory functions like a flat tire for a car with a broken engine. That is to say that OFAC\u2019s recent advisory could cause a headache for persons that are likely in the midst of a hostage situation.<\/p>\n\n\n\n

By threatening ransomware victims with further sanctions for not cooperating or not disclosing as much information as possible, OFAC aims to learn more about these ransomware attacks and how to prevent them.<\/p><\/blockquote>\n\n\n\n

The advisory makes clear that entities which facilitate ransomware payments are at risk of civil liability for engaging with persons on OFAC\u2019s Specially Designated Nationals and Blocked Persons List (SDN List). This threat of more fines is the last announcement that victims of cyberattacks want to hear. Understandably, no one wants to pay ransomware hackers, and almost always do so out of a need to access the trapped data. But by threatening sanctions for cooperating with ransomware hackers, the OFAC risks putting an even bigger burden on entities that are already hurting due to their reluctant involvement with these criminals.<\/p>\n\n\n\n

It is important to understand the background of ransomware attacks and their increased prevalence, as well as an understanding of what sorts of entities are at risk. With that foundation established, the Department of Treasury\u2019s recent advisory can be interpreted with more context.<\/p>\n\n\n\n

Background of ransomware<\/strong><\/p>\n\n\n\n

Ransomware attacks take place by simple methods. Often, someone associated with an organization gets hacked, whether it is by a phishing attempt or some other method. Hackers then infiltrate that employee\u2019s computer system and encrypt valuable data. This data becomes \u201cinaccessible without a complex key<\/a> that is provided only to those who pay the ransom.\u201d<\/p>\n\n\n\n

The frequency of these ransomware attacks is growing rapidly. Specialty insurer Beazley Group reported<\/a> in June that there was a \u201c25% rise in ransomware attacks reported to its breach response team in the first three months of this year compared with the final quarter of last year.\u201d Since the pandemic hit, experts have seen a \u201cdramatic increase<\/a>\u201d in data security incidents.<\/p>\n\n\n\n

Ransomware attacks affect a wide range of entities. Whether it is universities like U.C. San Francisco which paid $1.14M<\/a> in a recent attack, or a health agency system in Illinois<\/a>, ransomware hackers do not discriminate when it comes to targets. For instance, attacks in the manufacturing sector are up 156%<\/a> quarter on quarter. Additionally, ransomware hackers have been known to attack cities and municipalities: in 2019, more than forty attacks<\/a> on city agencies took place.<\/p>\n\n\n\n

As is evident by the sums paid, ransomware hackers seek out valuable data and are unafraid to use their bargaining power. For these local departments that fall prey to hackers, a failure to pay the ransom demands can result in a severe slowdown of communication, and a return to handwriting. Ransomware attacks on hospitals are \u201cthreat-to-life<\/a> crimes because they directly threaten a hospital\u2019s ability to provide patient care, which puts patient safety at risk.\u201d<\/p>\n\n\n\n

OFAC\u2019s Advisory<\/strong><\/p>\n\n\n\n

Directed towards targets of ransomware attacks, OFAC\u2019s advisory announced that the Treasury Department should be utilized as a resource when these attacks take place. The announcement was issued as \u201cdemand for ransomware payments has increased during the COVID-19 pandemic<\/a>.\u201d Sadly, hackers have begun to take advantage of the online systems that Americans rely on to work remotely. In the advisory, OFAC  invokes the authority of The International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) in a reminder to these entities that U.S. persons are \u201cprohibited from engaging in transactions<\/a>, directly or indirectly, with individuals or entities\u201d on OFAC\u2019s SDN list.<\/p>\n\n\n\n

OFAC may impose civil penalties for sanctions violations on a theory of strict liability. This means that a U.S. person subject to United States jurisdiction could be held liable even if they did not know or have reason to know that they were engaging in a transaction with a person or entity that is prohibited by sanctions or laws or OFAC\u2019s regulations. However, the advisory goes on to explain that a ransomware victim\u2019s self-initiated, timely, and complete report of a ransomware attack to law enforcement will be a significant mitigating factor in determining an appropriate enforcement outcome.\u201d Moreover, OFAC will also consider full cooperation with law enforcement both during and after a ransomware attack to be a \u201csignificant mitigating factor\u201d when determining possible enforcement outcomes.<\/p>\n\n\n\n

It is clear that the U.S. Department of Treasury and OFAC are in an information gathering stage. By threatening ransomware victims with further sanctions for not cooperating or not disclosing as much information as possible, OFAC aims to learn more about these ransomware attacks and how to prevent them. The advisory was likely aimed at businesses who don\u2019t report ransomware attacks out of fear that the cover-up will cost more than the crime. The number of unreported ransomware attacks is tough to know, but the reported ones can take years to recover from and cost anywhere from thousands of dollars to billions<\/a>.<\/p>\n\n\n\n

Next Steps<\/strong><\/p>\n\n\n\n

While It might seem counterintuitive to threaten the persons getting robbed with more fines, it looks like OFAC is trying to make its services known and encourage cooperation with law enforcement agencies. In the meantime, the emphasis should be on educating vulnerable internet users of hackers\u2019 techniques to compensate for cybersecurity teams that are stretched thin from the pandemic.<\/p>\n\n\n\n

Zach Corenblum, JD Candidate, 2022, UNC School of Law <\/strong><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The Treasury Department\u2019s Office of Foreign Assets Control (OFAC) issued an advisory last week that addresses the \u201csanctions risks associated with ransomware payments.\u201d (OFAC administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers) However, this advisory functions like a flat tire for a car with …<\/a><\/p>\n","protected":false},"author":4,"featured_media":8130,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8129"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=8129"}],"version-history":[{"count":3,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8129\/revisions"}],"predecessor-version":[{"id":8166,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8129\/revisions\/8166"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/8130"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=8129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=8129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=8129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}