Companies who pay ransom demands may now face civil and criminal penalties.
The Ransomware recovery process just got harder.
Let's give a quick scenario to illustrate:
Your organization gets hit with Ransomware. This halts your business. Hackers have your stolen files, and they're demanding a six-figure ransom. The countdown has begun (yes, there's usually a clock - how convenient).
You have two choices:
1. Don't Pay, Just Pray - deny the ransom and hope your most sensitive data is not exposed on the Dark Web. Then, hope your backups are stable and your network can be restored.
2. Pay and Pray - pay the cybercriminals to unlock your files and hope they actually delete their copies of your stolen files.
(either way you're praying for a good outcome)
Many have chosen Option 2. But now there's a new risk with paying a ransom.
The US Treasury has put us on alert. And they're not messing around.
The Treasury's Office of Foreign Assets Control (OFAC) monitors and sanctions individuals and countries who are deemed dangerous to US interests.
Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States.
OFAC's recently issued advisory on Ransomware payments warns people and organizations that they may face civil and criminal penalties if a Ransomware payment benefits sanctioned illicit actors.
Who does this include?
Yeah, we don't blame you for not keeping tabs on the latest organizations and people included on the Specially Designated Nationals and Blocked Persons List (SDN List).
These include countries like:
These also include hacker masterminds behind popular Ransomware variants like:
Well that's a special list right there, huh?!
What does this mean for you?
Under the Trading with the Enemy Act (TWEA), the US Treasury can issue severe penalties to people and organizations whose ransom payments benefit any of the above criminal groups, individuals or sanctioned jurisdictions.
(We know you don't care about more government acronyms, but that one is pretty cool.)
Importantly, these penalties are based on "strict liability." For the non-attorneys out there, this means you can be held liable even if you didn't know that your ransom payment went to benefit a sanctioned entity. Yes, I'll repeat that:
A person may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited.
Those penalties can be huge - up to 20 years in prison and fines up to $1 million!
What should I do if I get hit with Ransomware?
Contact OFAC immediately (details here - scroll to bottom).
Next, get in touch with the FBI (details here). Our FBI does a great job addressing cybercrimes.
In its advisory, OFAC stated that the victim's speed of notification will be considered in any penalties. So, your steps after a Ransomware attack are absolutely critical.
Where's the good news?
The good news is that