Organizations have a better sense of predictability and more incident response planning since the Treasury Department's Office of Foreign Assets Control (OFAC) issued a list of sanctioned entities in 2020, Michael Lieberman, assistant director of OFAC’s enforcement division said, during the virtual Incident Response Forum Ransomware earlier this month. He cautioned this was based on anecdotal feedback.
However, some ransomware payments happen relatively soon after an infection — and potentially before a victim can contact law enforcement or an agency like the Cybersecurity and Infrastructure Security Agency (CISA). Without input, companies risk paying a blocked person, designated nationals or an actor in a sanctioned jurisdiction.
- Some security practitioners say it's too soon to know what positive impacts the Treasury's actions have made, according to Ed Cabrera, chief cybersecurity officer at Trend Micro, and former CISO of the Secret Service. They have, at the very least, "raised the awareness of the risk companies face when dealing with a ransomware attack."
OFAC's primary mission is to increase incident reporting and promote cybersecurity practices using its advisories for organizations. OFAC considers a company's "self-initiated and complete report" of an attack to a federal agency if an organization pays a sanctioned party, the advisory said.
The risk in paying without input from law enforcement is OFAC's "strict liability," Lieberman said. This means that "a person subject to OFAC jurisdiction can be held civilly liable," even if they unknowingly engaged in a transaction prohibited by laws and regulations.
Ransomware-related payments reached nearly $600 million in the first half of 2021, compared to $416 million during the same time in 2020, according to the Treasury. OFAC reinforced mitigation measures in September as the Biden administration focused more on the threat, following its October 2020 ransomware guidance.
The Biden administration tasked federal agencies with finding ways to counter ransomware, Lieberman said. The goal of the ransomware advisory issued in September was to highlight the Treasury's specific authorities in ransomware prevention, including the regulation of currency exchanges.
The sanctions have added fear to the risk calculation of paying a ransom, which adds to a reluctance to work with law enforcement in fear of fines, according to John Bambenek, principal threat hunter at Netenrich, in an email.
With ransomware attacks always on the rise, "pyrrhic victories aren't worth celebrating," he said.
The Treasury has taken incremental steps to thwart ransomware attacks and the operators behind them in recent years. In September, the agency sanctioned cryptocurrency exchange Suex for laundering ties with ransomware affiliates, though it does not have known connections to specific variants.
Lieberman has noticed incident responders taking a more "cautious approach," because of OFAC's list of sanctioned ransomware-related parties, though the agency lacks quantitative data for 2021.
"Attribution is very difficult. And I think one of the key takeaways from the advisory is that we're not looking to play 'gotcha,'" he said.
OFAC will consider an organization's "willfulness or recklessness," when determining to issue a fine. Following an incident, the agency recommends organizations use digital forensics, which is another reason the federal government wants increased incident reporting, according to Lieberman.
"The U.S. government does not have a monopoly on data in the cyber and crypto ecosystem," said Lieberman. If incident reporting becomes a more regular — or mandatory — practice, the U.S. can "gain broader situational awareness to assist law enforcement in countering these bad actors," as well as recovering data or funds for victims.