Anyone who helps ransomware victims pay off hackers who are under U.S. sanctions could face stiff punishment themselves, the Treasury Department said Thursday.
The advisory from Treasury’s Office of Foreign Assets Control served notice to financial institutions and cyber insurance companies — as well as cybersecurity firms that help ransomware victims identify and respond to attacks — that they could suffer fines if they aided payments to attackers from places like Russia, North Korea or Iran that are on the U.S. sanctions list.
And OFAC indicated it would be inclined to be strict about it: Those civil penalties could be levied against companies that didn’t know they were facilitating ransom payments to hackers on its sanctions list.
“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the office wrote.
The office will review each case individually when deciding when to impose fines, but said that “self-initiated, timely, and complete report of a ransomware attack to law enforcement” would help avoid civil penalties, as would cooperating with law enforcement.
Last month, Treasury went on a bit of a cyber sanctioning binge, slapping alleged hackers in Russia over interfering in the 2020 election and scamming cryptocurrency exchanges, as well as alleged Iranian hackers targeting dissidents and journalists.
Reducing the incentives
Abetting payments to hackers poses potential national security risks, OFAC said in explaining the reason for its advisory.
“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the advisory states. “Ransomware payments may also embolden cyber actors to engage in future attacks.”
It also noted the rise in ransom demands during the COVID-19 pandemic.
OFAC fines can exceed several million dollars, the office has said.
The advisory also comes one day after DHS’s Cybersecurity and Infrastructure Agency and the Multi-State Information Sharing & Analysis Center released a joint ransomware guide.