Paying Ransomware Demands May Violate Sanctions, US Treasury Warns


Never pay. Insurers and others are warned by US Treasury Dept that cyberattack payouts to hackers may violate US sanction rules

US officials have issued a stark warning to financial institutions and insurers who have paid hackers following cyberattacks.

In recent years – despite clear advice from security professionals – there has been a spate of payouts to cybercriminals following ransomware attacks, as well as payouts to stop hackers targeting particular businesses, or for them to delete sensitive data stolen in an attack.

But now the US Treasury Department has official warned insurers or anyone else paying these online criminals, they could well be violating US sanction rules, Reuters reported.

Sanction warning

The warnings came in advisories from the US Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN).

It specifically mentions ransomware, which typically cripples a victims computer network by infecting and encrypting it, and demanding a ransom (typically paid in cryptocurrency) in return for an encryption key to unlock systems.

OFAC reportedly cited cyberattacks dating to 2015 that were traced to hackers in North Korea and Russia, both countries that have US sanctions against them.

FinCEN has also warned to a growing industry of forensics firms that help organisations respond to cyberattacks, including processing the payment.

The United States can impose economic and trade sanctions on countries that sponsor terrorism or violate human rights, Reuters reported.

This means that financial institutions that engage with them or some individuals can face prosecution and penalties.

Hacker payouts

And there is a very good reason the US Treasury’s Office has issued these warnings, in light of the current circumstances.

Recent ransomware attacks have targeted hospitals with devastating effects (including deaths), but these attacks have also crippled factories, companies, and even whole cities.

In the US alone, 764 healthcare providers were hit by ransomware last year, according to data compiled by Emsisoft.

And despite advice against it, some of these institutions opt to pay the hackers.

In July for example, fitness and navigation specialist Garmin admitted that it was the victim of a ransomware attack, after first reporting an “outage”.

Media reports at the time suggested Garmin had “obtained the decryption key” to recover its computer files, but the firm “did not directly make a payment to the hackers.”

This meant that Garmin may have made a payment via a third party, but if that is the case, the company risked violating US Treasury sanctions against the Russian hackers Evil Corp.

In June this year, the city of Keizer (in Oregon) reportedly paid a ransom of $48,000 to regain control of its computer system after a ransomware attack.

In January of this year, a ransom of $300,000 was paid by Tillamook County (in Oregon) to recover systems following a ransomware attack.

Last year Lake City (in Florida) opted to pay hackers after a ransomware attack. They paid a staggering $500,000 (£394,000), most of which covered by an insurance policy.

Another city – Riviera Beach City (also in Florida) – also voted unanimously to pay hackers $600,000 who took over their computer systems via a ransomware attackin 2019.

US warning

But will the clear warning from the US Treasury’s Office actually halt these payouts to hackers?

Well, it will add another layer of concern for cyber insurers, who have been ramping up rates and trying to curb exposure to vulnerable customers because of surging costly ransomware claims in recent years, Reuters reported.

The average ransomware payment reportedly jumped by 60 percent to $178,254 between the first and second quarters, according to Coveware (a firm that reportedly helps negotiate and facilitate cyber ransom payments).

Sophisticated insurers and financial institutions are already aware of the sanctions concern, Sumon Dantiki, a King & Spalding LLC lawyer who advises on national security and cyber matters told Reuters.

“Will victims who are insured still decide to make the payments?” Dantiki said. “This type of public advisory could affect the calculus there.”