How To Avoid Penalty Liability Following A Ransomware Attack | The Volkov Legal Group


Matt Stankiewicz, Partner at The Volkov Law Group, joins us for an interesting article on ransomware and OFAC sanctions compliance.

Ransomware attacks are on the rise, and businesses around the world should take steps to strengthen their cybersecurity defenses and resilience to ensure that their internal systems are able to withstand cybercrime attacks. Cybercriminals are extremely sophisticated, some groups even maintain staff spread across the globe to handle a variety of issues for the group. A recent leak of internal chat logs and other information from prominent cybercrime group Conti revealed that they even have a human resources department that scours resume databases around the world to identify likely candidates. to bring value to the organization. Many of these organizations even hire call centers in foreign countries to act as negotiators – they provide them with scripts and guidelines on how to negotiate and what terms to accept or reject. Some groups operate as ransomware-as-a-service, where they license their malicious code to users who inject it into corporate systems. Once installed, it runs automatically and distributes payments between creator and licensee. A recent study by Chainalysis revealed staggering earnings over the past year:

As if data issues weren’t enough, these attacks present another potential pitfall: sanctions liability. As a reminder, OFAC administers and enforces economic sanctions programs primarily against countries, entities, groups, and individuals for various diplomatic reasons. Sanctions can be comprehensive or selective and use asset freezing and trade restrictions to advance foreign policy and national security objectives. U.S. Persons are prohibited from engaging in transactions with sanctioned entities unless authorized by OFAC or expressly exempted by law.

While Russia has been in the news recently with a variety of new sanctions programs, be aware that one of the main sanctions programs that President Biden is using to punish Russia for its invasion is an Executive Order originally signed on 15 April 2021 – Executive Order 14024, Blocking Assets Related to Specified Harmful Foreign Activities of the Government of the Russian Federation. Among other things, this executive order focused on “cyber-enabled activities” and targeted Russia’s notorious cybercrime community (which, as you can imagine, includes troll farms and cyber-propaganda weapons that are responsible for interference with the elections). Additionally, President Obama previously signed two Executive Orders – 13694 and 13757 – that dealt exclusively with “malicious cyber-enabled activities.” Based on these authorities, and despite the supposed anonymity of these cybercriminals, the US government still has various means to identify the individuals behind the keyboards. As such, OFAC has already named several individuals who have created and/or facilitated cybercrimes over the years. Even though the individuals are not identifiable, OFAC has sanctioned cybercriminal groups, including their associated cryptocurrency wallet addresses and even the cryptocurrency exchanges they use to facilitate many of these transactions. In short, OFAC is very active in the area of ​​cybercrime.

Regarding ransomware, OFAC has issued specific advice on the subject. OFAC warns that ransom payments resulting from ransomware attacks can potentially violate sanctions regulations if such payments are made to sanctioned parties. OFAC emphasizes that the violations are a strict liability offense. However, OFAC also recognizes various mitigating factors, such as the existence of a comprehensive sanctions compliance program and the adoption of cybersecurity defensive and resiliency measures – the latter being a “significant” mitigating factor. Additionally, OFAC emphasizes the need to report the cyberattack to the relevant agencies. Voluntarily disclosing the situation to OFAC if it involves potential sanction concerns may also be a mitigating factor in any subsequent enforcement action.

This leads to potential problems for companies affected by these ransomware attacks. Are you paying the ransom to quickly recover your data and prevent its public dissemination? Or do you avoid payment, risk loss of data and reputation, in order to avoid liability for penalties? It’s a tricky situation.

Despite the obscure nature of these groups, there is very often much more information available than initially appears. For one thing, most – if not all – of these groups require payment in cryptocurrency. While many mistakenly believe that crypto transactions are anonymous, they are a far cry from that. On the contrary, the blockchain keeps a record of all transactions, and the flow of funds can be tracked historically or in real time. For example, when investigating a recent ransomware attack for a client, we engaged a reputable cryptocurrency forensic group to use data analytics to track the portfolios and funds of the group in question. . Using these tools, we were able to track the group’s funds on a short trip to a few highly reputable exchanges, where they were likely cashed out in fiat. Knowing that the funds were transferred quickly in a KYC exchange gave some comfort that these groups were not sanctioned. Along with a variety of other tools and thorough due diligence, we were able to provide the client with assurance that this ransom could be safely paid without breaching the penalties.

However, paying the ransom is not the end of the battle. Even assuming the group sticks to their end of the bargain (which isn’t guaranteed, but often they do because they know it allows future ransom payments to flow), other problems can arise shortly time after. If a company is known to pay a ransom following an infection of its systems, then it is placed on a list which is sold on the dark web to other cybercriminal groups. This list is actually a “hot leads” sales list. Additionally, with the rise of companies keen to insure against these ransom payments, this information will be included in the list and will only increase the willingness of other hacker groups to try and get a share. cake. Therefore, once attacked by ransomware, a business should consider undertaking thorough remediation to ensure that its systems can withstand a continuous barrage of attacks.

To help in this endeavor, the US government has provided a variety of resources to businesses. The US Cybersecurity & Infrastructure Security Agency (“CISA”), for example, provides free “hygiene” services to enterprise systems to identify glaring problems and weaknesses. CISA continues to issue advisories to warn of the latest bugs and viruses as they are identified, along with recommended security measures and mitigations.


Comments are closed.