OFAC Penalties for Ransomware Payments

As if getting hit with ransomware wasn’t costly enough, a statement from The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) titled: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments indicates potential fines on companies who “facilitate ransomware payments,” either directly or through third-party mitigators. The justification for the penalty is that ransom payments to malicious cyber entities and persons would “fund activities adverse to the United States’ national security and foreign policy objectives.” Specifically, these potential fines could be assessed for ransomware payments made to foreign entities under OFAC sanctions such as the Lazarus Group and Evil Corp, although not limited to only those entities.

No fines currently exist, and the article indicates it is explanatory only and does not carry the force of law. It encourages the “[implementation of] a risk-based compliance program to mitigate exposure to sanctions-related violations.” This appears to be a polite way of giving U.S. companies a chance to step up their risk-avoidance activities and protect against ransomware before any formal actions occur, which would likely be civil and not criminal in nature.

ransomware payments

Immediately Notify OPEC in the Event of a Ransomware Attack

 The advisory also indicates that businesses affected by ransomware should notify OFAC and other appropriate authorities immediately and that doing so could impact fines and penalties doled out by the organization. It stands to reason that companies who pay the ransom simply need to get their businesses back up and running quickly.

The advisory creates concern and confusion for those companies holding cybersecurity insurance. Notably, most insurance contracts have a clause that states if funding a policy-related event violates any law, it will be declined. Will cyber insurance companies use this advisory to refuse payment for the ransom on cybersecurity incidents? 

This advisory comes in the midst of a particularly malware-active 2020, thanks in large part to COVID-19 scams as well as the upcoming election cycle in the United States. Several high-profile companies, such as Pitney-Bowes, were hit for the second time in less than a year by groups known for double extortion tactics. Many attacks targeted government and public sector entities as well, exposing security holes either directly or through associated service providers.

Garmin, the GPS and smartwatch company, is a global company that lost functionality in several divisions after receiving a ransom note for USD 10 million. The amount actually paid is unknown but was still allegedly in the millions of dollars.

Email Initiated Ransomware Attack

A few weeks ago, managed services provider Tyler Technologies, who services government entities and provides aggregation for election results in some cases, also announced a malware incident resulting in a ransomware payment to return to service. The name of the trojan variant was “Ransom X (Ransom.exx),” and the ransom amount is unknown. In this case, an interesting note is that the compromise was supposedly human-initiated versus a phishing or malicious email—meaning an actual person targeted and implemented the attack.


What can I do to protect my data from ransomware?

Pretty much everyone agrees the best ransomware protection is to have good, reliable backups and a plan to put into action when the event occurs. Given the proliferation and intelligence of malware and hackers today, businesses need to get backups offsite and then guarantee the ability to cleanly recover if the remote backup files are encrypted or deleted. Malicious actors target these files first and then work backward into local backup files to secure their ransom or theft of data.

Global Data Vault introduced Enhanced Data Protection(EDP) to add additional security layers to your cloud backups. We recognized the need to provide a gap from your network and introduce security information and event management (SIEM) to watch for unexpected behavior from your backup environment to ours. We believe the most important thing is your data integrity, and we work hard to provide it.

Our customers rely on us for assistance and recovery in the event of a disaster or outage, including a ransomware incident. With EDP, we protect against insider threats, accidental deletions, and malicious activity targeting your cloud backup files. If ransomware encrypts or deletes these files, Global Data Vault can recover them from a “hidden” repository and make them accessible for you to restore. We even provide a sandbox to verify the data before bringing it back into your environment.

Instead of paying ransoms and possibly incurring fines from OFAC, you need a solution that you can rely on to have recoverable data, when you need it most. Contact us today to learn more!

More Cybersecurity Posts:

How to Avoid Ransomware Webinar

How to Avoid Ransomware Webinar

Global Data Vault's January webinar takes us back to the basics with a topic that's actually anything but basic--ransomware and how to avoid it.  Today, we're sharing our recent client experiences with ransomware, how these companies knew they were attacked, what the...

Five Hacking Techniques That Expose Your Company to Ransomware

Five Hacking Techniques That Expose Your Company to Ransomware

While phishing, spearphishing, and malicious web links are probably among the most common attacks used by hackers to infiltrate an organization, some old-school techniques still exist—and are just as effective as hacking techniques due to the focus on more modern...

Insider Threat Defined

Insider Threat Defined

Businesses face all types of pressure in today’s marketplace. One of the most devastating is a data loss event that can destroy a company within seconds. Malware threats are increasing at a dizzying pace, and all types of insider threats are taking the stage as the...

Types of Insider Threat

Types of Insider Threat

How many types of insider threats are there? One? Three? Six? All of the above is likely correct, although most people would indicate one commonality in their answers: humans. Most would also separate this human threat into three categories: compromised, negligent,...

Back Up As a Service


Submit a Comment

Your email address will not be published. Required fields are marked *