Getty Images

Treasury Dept: Ransomware Payment Facilitation Could Be Sanction Risk

COVID-19 spurred an increase in ransomware attacks. The Treasury Department warns entities against facilitating ransomware payments for breach victims and possible sanction risks.

The US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanction risks associated with companies that facilitate ransomware payments to the threat actors on behalf of breach victims, as the act may violate OFAC regulations and encourage future attacks. 

COVID-19 has spurred a drastic increase in the frequency and sophistication of ransomware attacks, with many threat actors taking to the double extortion method. In these cyberattacks, the cybercriminal first gains a foothold onto the network, proliferating to all connected devices and exfiltrating sensitive data. 

The hacker will wait sometimes months before deploying the final ransomware payload. And if the organization refuses to pay, they then move to leaking some of the victim’s data to extort them into paying. Sometimes entities refuse, while others have paid up, then the hacker will supposedly return the stolen data. 

Healthcare has remained a prime target for these attacks, given that many do indeed pay the ransom to regain access to the stolen data and resume business operations. The latest incident involved the University of California San Fransisco, which paid its hackers $1.14 million to restore access to the servers of its School of Medicine. 

In April, RiskIQ reported that about 16 percent of healthcare entities will inevitably pay the ransom. Those recent victims include Blackbaud, DCH Health System, Kentucky’s Park DuValle Community Health Center, and NEO Urology, just to name a few. 

While security researchers and even federal agencies have empathized with these organizations leaning on their cyber insurance or outside security teams to facilitate these payments to release sensitive data, the FBI has repeatedly stressed that the move should be a last resort. 

What’s more, paying the ransom can actually double recovery costs associated with a ransomware attack. 

In light of a spate of ransomware, including the massive Universal Health Services attack, OFAC released an advisory that not only advised against paying – warned that these acts may violate the agency’s rules. 

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” OFAC officials wrote. 

“OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions,” they added. 

The agency provide several examples of the sanctioned organizations, which include the notorious SamSam hackers that pummeled the healthcare sector in 2018. Other threat actors include Dridex, WannaCry 2.0, Evil Corp, and the Lazarus Group, among others. 

Many of these groups have ties to foreign governments, which caused their sanctions. OFAC officials explained that it will continue to impose sanctions on the hackers and “others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” 

Not only do ransomware payments fuel future attacks, OFAC explained it also threatens US national security interests given their profit and later ability to advance their cause. Paying ransom to a sanctioned entity or jurisdiction could fund activities in conflict with national interests. 

And as noted repeatedly by security leaders, paying a ransom demand does not guarantee a victim will regain access to their data. Notably, one out of 10 ransomware attacks leads to data theft, while an average of 45 percent of healthcare CISOs have faced a cyberattack aimed at destroying data. 

Further, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), prohibits individuals or entities from engaging in transactions, directly or indirectly, with those on “OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.” 

“Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited, U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations,” OFAC explained. 

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” they added. 

Entities should review OFAC’s enforcement guidelines before engaging in these transactions and to determine an appropriate response. Organizations are encouraged to ensure they have implemented a risk-based compliance program to mitigate potential exposure to sanctions-based violations. 

These recommendations extend to companies that work with ransomware victims, including cyber insurance providers, digital forensics firms, and incident response, and financial services. 

Lastly, when faced with a ransomware attack, organizations should first contact relevant government agencies. 

It’s particularly important for healthcare entities, in light of the UHS system outage and the death of a patient in Germany due to a ransomware attack, to review ransomware guidance from MicrosoftOCR, and NIST to bolster systems now, as recent attacks prove hackers have increased in both stealth and sophistication. 

Following the death of the patient in Germany, Emsisoft released insights that stressed the need for a federal ban on ransomware payments given the rapid increase for ransom demands and the likelihood of data theft. The security firm predicts more than $25 billion will be paid in ransom demands this year alone, with an overall $170 billion impact on the economy. 

In short, to Emsisoft, banning the payment of ransom demands to hackers is the only practical solution. 

“The ransomware problem has continued to worsen,” Emsisoft Threat Analyst Brett Callow told HealthITSecurity.com. “In the last month alone, nine healthcare providers or healthcare systems have been successfully attacked, potential impacting patient care at hundreds of individual hospitals - and, as a recent case has demonstrated, these attacks can result in the loss of life.” 

“The OFAC sanctions are certainly a step in the right direction, but apply to only a very limited number of threat actors,” he added. “Realistically, they’re not likely to have a significant impact on the profitability of ransomware and, consequently, have little impact on the number of attacks. We believe a complete prohibition on the payment of demands is now necessary. If you stop the flow of cash, you’ll stop the attacks. It really is the only practical solution.” 

For now, the OFAC sanctions are a step in the right direction. And if the recent attacks are any sign of what’s to come, it may be time for other agencies and Congress to examine the process. 

Next Steps

Dig Deeper on HIPAA compliance and regulation