The U.S. Treasury Department warned that making ransomware payments could violate federal sanctions programs and anti-money laundering regulations. The warnings appeared in two advisories issued by the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN).
The OFAC advisory focuses on the “sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC warns that companies facilitating ransomware payments to cybercriminals encourage future ransomware payments. Importantly, a payment that a business or individual makes could risk violating OFAC regulations.
The FinCEN advisory addresses companies that provide services to victims of ransomware attacks and cyber insurance companies that “facilitate” a ransomware payment. FinCEN warns that a ransomware payment could constitute a money transmission, which depends on the facts and circumstances of the transaction.
The pandemic compelled many companies to have their employees work from home. As a result, these companies rely on remote desktop protocols to conduct business online.
OFAC reported an increase in ransomware payments as cybercriminals target online systems. Over the past several years, OFAC designated “numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.”
FinCEN warns of increasing sophistication in ransomware operations. Cybercriminals are deploying schemes that include:
- Big Game Hunting – targeting larger enterprises to demand larger payouts
- Criminal Partnerships – sharing resources to enhance the effectiveness of the attacks, which includes ransomware exploit kits with “ready-made malicious codes and tools”
- Double Extortion – removing sensitive data from targeted networks while encrypting the system files and then demanding a ransom to prevent the data from being published
FinCEN reports that ransomware attacks are a “growing concern” for financial institutions because they have a critical role in the collection of ransom payments. Processing a ransomware payment typically involves a multi-step process that includes a depository institution and at least one money services business (MSB) that processes convertible virtual currency (CVC).
According to FinCEN, cybercriminals often distribute ransomware by using common tactics, such as phishing campaigns and “drive-by” malware attacks. FinCEN advises that the best defense against ransomware is by implementing proactive prevention. Effective actions include “cyber hygiene, cybersecurity controls, and business continuity resiliency.”