{"id":41901,"date":"2020-10-08T08:09:16","date_gmt":"2020-10-08T15:09:16","guid":{"rendered":"https:\/\/www.enxmag.com\/twii\/?p=41901"},"modified":"2020-10-08T08:09:18","modified_gmt":"2020-10-08T15:09:18","slug":"paying-ransomware-criminals-might-land-you-a-steep-federal-fine","status":"publish","type":"post","link":"http:\/\/www.enxmag.com\/twii\/the-week-in-imaging-twii\/editors-blog\/2020\/10\/paying-ransomware-criminals-might-land-you-a-steep-federal-fine\/","title":{"rendered":"Paying Ransomware Criminals Might Land You a Steep Federal Fine"},"content":{"rendered":"\n
\"\"<\/figure><\/div>\n\n\n\n

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned multiple ransomware criminals over the last few years, most notably the Russian cybercrime syndicate aptly named Evil Corp. However, not only Eastern European hackers were sanctioned, various North Korean and Iranian actors are also on the list. <\/p>\n\n\n\n

On Oct 1, OFAC made it clear to U.S. companies that paying millions of dollars of ransoms to those groups will invite hefty fines from the federal government. <\/p>\n\n\n\n

To pay or not to pay<\/strong><\/p>\n\n\n\n

That puts any organization that becomes a ransomware victim between a rock and a hard place. If they don’t pay the ransom, the downtime will be extremely costly, or the hackers may leak their sensitive customer data. If they do, even through a third-party mediator, they could find themselves in deep trouble stateside because it’s impossible on short notice to verify who the cybercriminal really is that is holding your data hostage.<\/p>\n\n\n\n

Fines of up to $20 million <\/strong><\/p>\n\n\n\n

In its advisory<\/a>, OFAC said, \u201ccompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.\u201d<\/p>\n\n\n\n

Those that run afoul of OFAC sanctions without a special dispensation or \u201clicense\u201d from Treasury can face several legal repercussions, including fines of up to $20 million. OUCH.<\/p>\n\n\n\n

Come clean and involve authorities right away<\/strong><\/p>\n\n\n\n

Intrepid cybercrime investigative reporter Brian Krebs noted: “Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury\u2019s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and\/or third-party security firms.<\/p>\n\n\n\n

Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.<\/p>\n\n\n\n

\u201cIn my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,\u201d he said. \u201cThere are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.\u201d<\/p>\n\n\n\n

Along those lines, OFAC said the degree of a person\/company\u2019s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider \u201ca company\u2019s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned multiple ransomware criminals over the last few years, most notably the Russian cybercrime syndicate aptly named Evil Corp. However, not only Eastern European hackers were sanctioned, various North Korean and Iranian actors are also on the list. On Oct 1, OFAC made it clear to U.S. companies that paying millions of dollars of ransoms to those groups will invite hefty fines from the federal government. To pay or not to pay That puts any organization that becomes a ransomware victim between a rock and a hard place. If they don’t pay the ransom, the downtime will be extremely costly, or the hackers may leak their sensitive customer data. If they do, even through a third-party mediator, they could find themselves in deep trouble stateside because it’s impossible on short notice to verify who the cybercriminal really is that is holding your data hostage. Fines of up to $20 million In its advisory, OFAC said, \u201ccompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.\u201d Those that run afoul of OFAC sanctions without a special dispensation or \u201clicense\u201d from Treasury can face several legal repercussions, including fines of up to $20 million. OUCH. Come clean and involve authorities right away Intrepid cybercrime investigative reporter Brian Krebs noted: “Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury\u2019s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and\/or third-party security firms. Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains. \u201cIn my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,\u201d he said. \u201cThere are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.\u201d Along those lines, OFAC said the degree of a person\/company\u2019s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider \u201ca company\u2019s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.\u201d<\/p>\n","protected":false},"author":178,"featured_media":41902,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[80,1650,82,3371,1638],"tags":[3891],"_links":{"self":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/41901"}],"collection":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/users\/178"}],"replies":[{"embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/comments?post=41901"}],"version-history":[{"count":1,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/41901\/revisions"}],"predecessor-version":[{"id":41903,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/41901\/revisions\/41903"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/media\/41902"}],"wp:attachment":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/media?parent=41901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/categories?post=41901"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/tags?post=41901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}