The US Treasury Department has published guidelines today to be used in special circumstances where a ransomware payment may break US sanctions.
The guidelines apply to situations where an individual or company has had its data encrypted by a ransomware gang that is either sanctioned or has affiliations with a cybercrime group sanctioned by the US Treasury in years past.
The Treasury says that making a ransomware payment in this type of situation may violate Treasury sanctions and incur a legal investigation against the entities involved, which could be:
- The victim;
- The financial institutions which processed the ransom payment; and
- Intermediaries such as cyber-insurance firms and companies involved in digital forensics and incident response.
US officials say that in these situations, victims should contact the Treasury's Office of Foreign Assets Control (OFAC) before deciding on making the payment.
"OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus," the agency said today.
Companies who contact law enforcement agencies when they get infected will also be looked favorably upon "in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus."
According to the OFAC's advisory, the following individuals/groups have been sanctioned, and ransomware payments to these groups, directly or to a nexus, are considered to be a sanctions violation:
- Evgeniy Mikhailovich Bogachev, the developer of the now-defunct Cryptolocker ransomware
- Ali Khorashadizadeh and Mohammad Ghorbaniyan, the two developers behind the now-defunct SamSam ransomware
- The Lazarus Group and two sub-groups, Bluenoroff and Andariel, for their links to the WannaCry ransomware
- Maksim Yakubets and the EvilCorp group for their links to the Dridex trojan and its malware distribution emporium, which also included the BitPaymer ransomware.
The Treasury published this guideline today because of the aftermath of the ransomware attack on wearables maker Garmin. The attack was carried out with a ransomware strain named WastedLocker, believed to be the successor of the BitPaymer ransomware, and connected to the EvilCorp group.
Garmin is said to have paid the ransom demand.
ZDNet, along with reporters from the Wall Street Journal and other news outlets, reached out to the Treasury following the incident to inquire if Garmin had broken US sanctions by making a payment to an EvilCorp nexus.
Sources next to the Treasury, but not in the department, told ZDNet that the Treasury was aware that by fully blocking ransom payments might lead to situations where some companies might not be able to recover their data and would be forced to shut down or suffer considerable losses.
The Treasury declined to comment at the time but has released today an advisory detailing its stance on the matter.
But today's document also doesn't mean that victims and cyber-security firms have a clear path to break sanctions by notifying OFAC of a payment in advance.
The Treasury specifically said today that "license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial." [Emphasis ours]
Those who do not abide by the new guidelines risk huge fines.