On October 1, 2020, the Department of the Treasury, Office of Foreign Assets Control (OFAC) issued an advisory to outline the sanctions risks associated with ransomware payments related to the malicious cyber-enabled activity1. OFAC has made it clear that “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”
To be clear, facilitating payments for ransomware to sanctioned entities may result in civil fines and penalties. This OFAC advisory is limited to sanctions risks related to ransomware and was not intended to address issues related to information security practitioners’ cyber threat intelligence-gathering activities.
What Does Business Need to Know?
The U.S. Government keeps a list of economic sanctions which are administered by OFAC. OFAC has imposed sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for ransomware related activities. Ransomware payments made to sanctioned persons or sanctioned jurisdictions could be used to fund activities contrary to the United States’ national security and foreign policy objectives. Ransomware payments may also encourage threat actors to engage in future attacks. In addition, paying a ransom to threat actors does not guarantee that the victim will regain access to stolen data.
U.S. citizens and residents are generally prohibited from engaging in transactions with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
Civil Penalties for Sanctions Violations Based Upon Liability
OFAC may impose civil penalties for sanctions violations based on liability. This means that a person subject to U.S. jurisdiction may be held civilly liable even if they did not know or have reason to know it was engaging in a transaction with a prohibited person under sanctions laws and regulations administered by OFAC. Companies involved in facilitating ransomware payments on behalf of victims should also determine whether they have regulatory obligations. In failure to meet these obligations, these companies then take on the new risk of penalties for sanctions violations.
Civil penalties for sanctions violations will have a direct impact on the flow of ransom payments. By choking off illicitly gained ransom revenue streams, OFAC’s civil penalties will make ransomware a far less attractive revenue source for threat actors.
OFAC Has Identified Numerous Ransomware Threat Actors
OFAC has identified numerous malicious cyber actors under its cyber-related sanctions program. This includes perpetrators of ransomware attacks and those who facilitate ransomware transactions. Some of these cited by the OFAC advisory and explicitly called out and sanctioned include Cryptolocker, SamSam, WannaCry, and Dridex and the threat actors behind all of these ransomware tools.
As an example, let us take a closer look at Dridex. Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft-related losses. In December 2019, OFAC designated Evil Corp and its leader, Maksim Yakubets, for the development and distribution of the Dridex malware.
The best way to deal with ransomware is to minimize your risk of infection. The Infoblox Cyber Intelligence Unit (CIU) has covered Dridex extensively. Here you can see our threat research from the past year includes these three important reports:
- Dridex Malspam Spoofs Messaging from Popular Accounting Software Company2
- Dridex Banking Trojan Hides in Fake Payroll Notifications3
- Dridex Banking Trojan4
Best Practices Help Stop Ransomware
An ounce of prevention is worth a pound of cure! You can reduce the risk of ransomware and ongoing attacks more quickly with these essential best practices:
- Always back-up essential data.
- Prioritize and apply the latest security updates and patches.
- Utilize network segmentation to limit the spread of ransomware.
- Train employees in email hygiene and attachments best practices.
- Implement a DNS response policy zone (RPZ) enforcement to prevent data exfiltration and block DNS communications from compromised devices with malicious sites and command and control servers, including those associated with ransomware activity
- Monitor DNS requests to identify suspicious DNS activity.
- Improve visibility and discovery with tools that can detect unauthorized or compromised devices and virtual machines anywhere on your network so you can automatically block their access.
- Use the valuable data from DNS, DHCP, and IP address management (DDI) to gain useful insights to help you better understand ransomware attacks, related risk, and best prioritize remediation activity.
- Harness threat intelligence to detect, prioritize, and anticipate evolving threats.
- Support integrated security response by sharing threat data across SOAR, SIEM, and other cybersecurity ecosystem technologies.
Learn more about how we can help – more information on reducing the risk of ransomware: https://www.infoblox.com/resources/videos/the-role-of-dns-instrumentation-and-dns-data-in-fighting-ransomware/
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form.
1https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
2https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–72
3https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–51
4https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–19
