Companies that find their files, data or networks locked by a malicious actor demanding an extortion payment now have a new worry in their incident response: The United States Department of Treasury. On Oct. 1, 2020, the Treasury Department’s Office of Foreign Asset Control (OFAC) issued an advisory warning companies affected by ransomware that paying ransom could lead to sanctions from the government under various sanctions regimes. At the same time, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a similar advisory indicating that payment of ransom could constitute unlawful and unregistered money transmission, and that payment of ransom implicates the Bank Secrecy Act and may require entities making payments to comply with the Suspicious Activity Reporting (SAR) requirements.
The OFAC advisory notes that the problem of ransomware and ransomware demands is serious and growing. It is being promoted by governments, non-governmental entities, organized criminal groups and dedicated cyber threat actors. Because paying ransom in cybersecurity cases necessarily involves giving money to these threat actors, OFAC posits that the ransom payer may be providing material support to hackers in violation of various U.S. and international sanctions regimes, and that this opens the ransom payer to civil, administrative and criminal penalties.
The Office of Foreign Asset Control is generally responsible for enforcing various U.S. and international financial sanctions regimes, including those against specific countries (e.g., Cuba, Iran and North Korea), persons (Specially Designated Nationals such as certain Russian oligarchs and others), and specific programs. Some of these sanctions regimes were specifically authorized by acts of Congress, some through international organizations like the United Nations, and some implemented by Executive Order of the President. Typically, such sanctions prohibit certain financial transactions with the prohibited entity and require entities to check the list of prohibited countries and list of Designated Nationals entities prior to engaging in financial transactions. In fact, the federal Know Your Customer (KYC) and Anti Money Laundering (AML) rules and regulations are part of the implementation strategy with respect to sanctions regimes.
For example, under the International Emergency Economic Powers Act (IEEPA) the White House prohibited any “transactions” with both Tik Tok’s parent company and with WeChat, and similarly has imposed sanctions on various foreign companies and even hacker groups. The same is true under the Trading with the Enemy Act (TWEA). As a result, the Treasury and State Departments have issued specific cyber-related sanctions against entities responsible for particular cyber-attacks. In addition, in 2015 and again in 2016, the Obama administration issued Executive Orders authorizing sanctions against “individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” The December, 2016 sanctions were specifically aimed at sanctioning those responsible for the cyber-attacks and disinformation campaigns aimed at the 2016 election. These sanctions present a problem for a company needing to pay ransom to an unknown actor, as discussed below.
The Ransomware Problem
When it comes to ransomware, or other similar internet-based problems like extortionware, doxxing, revenge porn or other forms of Internet threats, the threat actor typically demands money in cryptocurrency in return for releasing blocked files, folders, or networks, or not releasing stolen information, trade secrets, or embarrassing facts learned about a company. In each of these cases, the company is faced with a choice: pay the ransom or don’t pay the ransom and suffer the consequences. While there are already many legal issues associated with paying the ransom, either directly, through an insurance company, or through a third-party, a new challenge with paying any money in cryptocurrency to an unnamed and unknown entity is that it may run afoul of the OFAC regulations.
Because OFAC’s sanctions prohibit transactions with certain entities, including those responsible for certain cyberattacks, by paying a cryptocurrency ransom to an unknown entity, a company may be inadvertently engaging in a financial transaction with a prohibited entity. This opens the company to allegations of violating of the sanctions regime, and potential civil and criminal penalties for doing so. Moreover, by paying the ransom, a company may also be exposing itself to civil and criminal liability for aiding and abetting the hacker or providing material support to the criminal enterprise that has attempted to extort money from them. While some entities have a flat policy never to pay ransom, this results in situations like that in the cities of Atlanta and Baltimore, where the refusal to pay modest ransoms (a few thousand dollars) resulted in the cities’ networks being shut for weeks and tens of millions of dollars of damage and disruption.
The WhoIs Problem
The OFAC regulations and the sanctions regimes prohibit the knowing engagement in financial transactions with a prohibited entity – but the “knowing” aspect applies to the act of engaging in a financial transaction, NOT the knowledge that the entity is a sanctioned entity. While the law requires financial institutions to check the sanctions list before engaging in any financial transaction, the mere fact that it has done so does not insulate it from liability if, after the fact, OFAC finds that a prohibited transaction has occurred. While the Treasury Department’s Enforcement Guidelines “take into account” the good faith efforts of an entity to prevent a prohibited transaction, the sanctions regimes impose strict liability on those that violate them.
Prior to engaging in a transaction with a prohibited entity, a company could apply to OFAC for a license to engage in the transaction – essentially permission to pay the ransom at issue. But to obtain such a license, the company paying the ransom would have to identify the entity to which it is proposing to make the payment, the sanctions regime from which it seeks relief, and must obtain the license prior to making the payment. With ransomware, the victim rarely knows the identity of the perpetrator, and has to act within hours or days – not the months usually necessary to identify the bad actor and obtain a license from the government. Moreover, if a ransomware victim seeks an OFAC license and is denied, then it has made payment of the ransom even more difficult, if it determines that payment is the best course of action.
The FinCEN Advisory
The FinCEN Advisory discusses a different aspect of the problem of companies paying ransom. In addition to dealing with potentially sanctioned entities, the payment of ransom to unknown entities by cryptocurrency may also violate the Know Your Customer or “KYC” banking requirements for financial institutions under the Bank Secrecy Act. In addition, the entity making the payment may be deemed to be a “money transmitter” under state law, which requires that the money transmitter be licensed under the laws of the state in which the money is transmitted. For example, if a ransom is paid through a law firm, consulting company, forensic or incident response company, or even through a cryptocurrency broker, that entity may be required to be a licensed money transmitter. Ohio law, for example, defines the act of “transmitting money” to mean to receive, directly or indirectly and by any means, money or its equivalent from a person and to deliver, pay, or make accessible, by any means, method, manner, or device, whether or not a payment instrument is used, the money received or its equivalent to the same or another person, at the same or another time, and at the same or another place.” So when you use a third party to pay ransom and obtain the unlock keys for your files, you may be promoting an unlicensed money transmitting, or conspiring to do so in violation of federal law.
Most money transmitter laws either state or have been read to imply that a person who makes a purchase of goods or services on behalf of another (i.e. providing $20 to pay the grocer for milk, eggs, butter and cheese) are not money transmitters. Ohio’s definition, for example, “does not include transactions in which the recipient of the money or its equivalent is the principal or authorized representative of the principal in a transaction for which the money or its equivalent is received, other than the transmission of money or its equivalent.” However, if money transmission represents even a fractional portion of the services provided, the intermediary can be considered a money transmitter, and licensure may be required.
For example, federal regulations exempt from licensure any person who “accepts and transmits funds only integral to the sale of goods or the provision of services, other than money transmission services, by the person who is accepting and transmitting the funds.” This definition of money transmission may seem quite broad, and indeed in 2018 over $850 billion in transactions were regulated as money transmission transactions. It would seem, however, that transmission of ransom payment in order to recover a computer system is integral to the services provided by an incident response or cybersecurity consulting. FinCEN’s ambiguous statement that facilitation of ransomware payments “could constitute money transmission,” ignores the distinction between the purchase of an unlock key as part of an incident response and recovery effort and the plain payment of ransom. In doing so, FinCEN muddies the waters and may require victims to be even more cautious in their approach to ransom payments.
Even more complicated is determining in what jurisdiction the money transmitter is required to be licensed – where you give them the funds; where they are located; where they send the funds; or all three? Moreover, the money transmitter would need to comply with often extensive reporting requirements in each jurisdiction in which it intends to maintain licensure. While most cryptocurrency brokers are, in fact, licensed money transmitters, they can only transfer funds to the threat actor. A company suffering from a ransomware attack may need to quickly convert tens of thousands of dollars (or more) from sovereign currency to cryptocurrency, and then arrange for it to be sent to a reliable escrow agent while it negotiates with the threat actor. These transactions are significantly more complicated than simply doing a wire transfer, and important to get right. For that reason, they often rely on digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs), both of which are targeted under the FinCEN advisory.
Additionally, the FINCEN advisory calls into question the legality of certain steps a company may want to take steps to conceal its payment to the threat actor from public disclosure. Because a public ledger is inherent to the blockchain on which most cryptocurrency relies, the fact of a ransom payment may be discovered by other bad actors and invite further attacks on the company paying ransom. To avoid inviting further attacks, a company may want to obscure the record of its payment by utilizing services called “mixers” and “tumblers,” which break the links between the sender and recipient of funds, usually by randomizing the amounts and destinations of transactions in and out of the service. FinCEN acknowledges and even requires registration of these services as money transmitters. However, use of unlicensed anonymizing services provider can be considered money laundering, and earlier this year, an Ohio resident was arrested and charged by the Department of Justice with laundering over $300 million through bitcoin “mixing” and “tumbling” without the proper reporting and licensure.
The Treasury Department’s advisory warns banks to look for “suspicious” red flags such as “a customer provides information that a payment is in response to a ransomware incident” or a company’s bitcoin wallet “appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments..” or a company makes a payment to a forensics firm and then shortly after that forensics firm makes a payment in an identical amount to someone in cryptocurrency. In essence, FinCEN looks for “suspicious” activity by looking for companies that pay ransom – and the forensic and incident response companies that assist them in doing so — and are subjecting them to the BSA’s “Red flag” rules for suspicious activity. Essentially, the Treasury Department is highlighting the activities of forensic companies or insurance companies. This will likely have the practical effect of discouraging companies from paying ransom, or from using companies with recognized expertise in ransom payments.
So, what should a company facing a ransomware or extortion demand in cyberspace do to minimize its risk of violating OFAC and other sanctions regimes?
First, it is important to get competent legal advice from counsel knowledgeable about both cybersecurity, data privacy, incident response, sanctions regimes, and data forensics. This is not simply to help navigate the shoals of incident response, but also to enable the response to be protected by a presumptive privilege associated with the legal advice. The privilege is not absolute, and is not a panacea, and does not protect the company from later liability if it violates the law (including sanctions regimes), but it provides some greater freedom to explore and investigate.
Second, it is important to collect data and thoroughly investigate both the data locking (ransomware) and the demands, in a forensically acceptable manner. If the victim has an effective data forensics capability, then it should be invoked. If not, the company should immediately retain outside advisors with experience in data forensics, incident response, and threat intelligence. The latter being essential to attempt to make attribution for the threat actor. Remember, the OFAC advisory relates to paying money (ransom) to entities that are on a list of prohibited entities. Part of your incident response is to make at least a good faith effort to determine whether the threat actor you have decided to pay is (or is not) on the list. Collecting data like log data, firewall data, router data, IP and DNS data, and even data about the malware itself, its behavior, origin, and sophistication which can help determine whether the threat actor is, or is not “on the list.” Various companies can also be helpful to act as an intermediary in paying ransom – and have sophisticated tools and techniques for tracing cryptocurrency payments or using escrow agents to ensure that the money is only transferred once the unlock keys or codes are validated (throw me the idol and I’ll throw you the whip..) Unfortunately, these are the very companies that the Treasury Department has asked banks to label as “suspicious.”
Third, check the sanctions list – particularly the cyber related sanctions. If you have any reason to believe that the entity you are proposing to pay is, or might be on the sanctions list (by IP address, nature of the entity, location, etc.) then you may wish to at least inform OFAC, law enforcement, or others prior to making the payment. Remember, the sanctions are applied on a theory of strict liability, but the enforcement guidelines contemplate your good faith investigative and reporting efforts.
Fourth, obtain appropriate cyber-insurance now. In doing so, it is important to know what insurance you are buying and what it covers. Most policies cover “data breach” and breach recovery, which is inadequate to protect you from cyber extortion and regulatory costs. A comprehensive risk assessment is essential to measure your risk, as is adoption of the appropriate behaviors and insurance to mitigate it. Again, cyber insurance companies can help you navigate a ransomware incident, but the FinCEN advisory then puts exactly these companies in the cross hairs for investigation.
Fifth, ensure that the companies responsible for your funds transfers (particularly cryptocurrency transfers) are licensed as money transfer agents. It’s not always clear WHO needs to be registered, but as long as one of the parties is so registered, you may be protected.
Sixth, consider working with the appropriate law enforcement agencies. Law enforcement is ambivalent about whether it is, or is not “legal” to pay ransom, with the official FBI policy being that companies should not pay ransom, but that the FBI won’t generally prosecute entities for doing so. Transparency is the key. There’s little comfort in that policy, but the OFAC advisory and its enforcement guidelines note: Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome. These measures are not guarantees of insulation from liability but are likely to influence the attitude of law enforcement and regulatory
Of course, such self-reporting will impact the company’s ability to assert privilege and have other impacts on the investigation, so it is important not only to work appropriately with law enforcement, but also to work with the appropriate law enforcement entities. This means having a relationship with federal, state and local enforcement agencies (or knowing entities with such relationships) long before there is an incident, so you can establish trust and rules of engagement for incidents in the future. Since the threat actors are often operating beyond borders, you may need to enlist the support of counsel, investigators, or law enforcement agencies abroad as well. Another problem with working with law enforcement agencies is if the cops tell you NOT to pay the ransom, and you decide to do so anyway, you may lose the protections that the reporting was attempting to achieve.
Seventh, explore options that don’t involve ransom payments. As noted, in the Atlanta and Baltimore cases, and in cases involving mission-critical or time-critical data, paying the ransom may be the cheapest, easiest, and fastest way to restore your operations. But there are alternatives. Aside from having an effective anti-phishing and anti-malware program to reduce the risk of ransomware, companies should have a robust DR/BCP (Disaster Recovery/Business Continuation Planning) capability including frequent and well planned backups of data and programs, data recovery functionality, and relationships with vendors and suppliers that will permit rebuilding and restoration of operations. Many ransomware software packages may also be able to be unlocked without the key by highly sophisticated computer security procedures known to a few computer security researchers. Some can be “brute forced.” In short, there are options.
There is an adage in computer incident response that there’s no “good” way to respond to an incident – your job is to pick the least bad one. The Treasury Department has raised the stakes by threatening prosecution of computer crime victims. That’s only one of many legal issues associated with response to and payment of funds in ransomware cases. It’s important to take reasonable and measured steps to ensure that you comply with these regulations even during trying times.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.