The Office of Foreign Assets Control of the US Treasury Department (OFAC) said paying ransoms to attackers during ransomware attacks could violate US sanctions.
According to a notice issued by OFAC , companies agreeing to buybacks during ransomware attacks could be fined by the United States for violating sanctions. Under the International Emergency Economic Powers Act (IEEPA) and the Trade With Enemy States Act (TWEA), US citizens are prohibited from transacting with countries under sanctions or with people on the OFAC “ sanctions list ”. According to the Ministry of Finance, it is precisely these people who carry out attacks using ransomware viruses.
As the number of ransomware attacks grows, companies are emerging to help simplify payments to hackers. The OFAC document mentions “financial institutions, cyber insurance firms, and incident response companies” that “encourage future payments to attackers.” Of particular concern to the government is that paying ransoms allows hackers to get money, while the purpose of sanctions is to deny them and the government access to capital. The document notes:
“Ransomware ransoms made to sanctioned individuals can be used to fund activities that are detrimental to US national security and foreign policy. OFAC can impose penalties for violations of the sanctions even if the paying ransom did not know he was involved in an illegal transaction. ”
However, buybacks can be made subject to certain conditions. According to OFAC’s guidelines, companies helping to pay ransomware during ransomware attacks should “implement a risk-based compliance program to reduce the likelihood of sanctions breaches.” These companies must also consider their “regulatory obligations” to the Financial Crime Enforcement Network (FinCEN), OFAC notes.
Hackers are increasingly attacking large organizations and demanding ransom in cryptocurrencies. Last month, a group of hackers NetWalker hacked into the system of Argentina’s National Migration Board (DNM), demanding to pay $ 4 million in BTC. In June, a malware attack launched by NetWalker hit three universities in the United States. The University of California at San Francisco had to pay $ 1.14 million in BTC to regain access to important research data, and Michigan State University refused to pay the ransom to hackers. According to McAfee, NetWalker hackers have managed to get more than $ 25 million from victims since March 2020 .