Regulatory Rumblings Force Companies to Rethink their Ransomware Policies

The decision of whether to pay ransomware hackers to release encrypted information got tougher in March when President Joe Biden signed into law that “strongly advises” companies to report ransomware attacks to the Department of Homeland Security.

It did not, however, create any penalties for failing to do so.

But it does create more problems for executives trying to decide whether to pay ransomware demands at the risk of violating sanctions, which can bring stiff penalties.

The problem is that between the Russian war sanctions and recent moves by the Treasury Department’s Office of Foreign Asset Control (OFAC) to impose sanctions directly on ransomware attackers and cryptocurrency exchanges that help users make cryptocurrencies like bitcoin untrackable, there are more sanctioned entities to deal with.

See more: Bringing Clarity To The Messy World Of Corporate Ransomware

The new Treasury Department “advice” has also unnerved companies that facilitate such payments, from lawyers to insurance firms with ransomware policies, said Michael Phillips, chief claims officer for cyber-insurance company Resilience.

“I will say that there is substantial confusion about the state of the regime on that level,” he said recently, adding that compliance protocols are being added or strengthened.

Liability Questions

“Many companies have a ‘no ransomware payment’ stance until faced with a ransomware attack, especially an attack that causes significant business disruption,” said David Feder, Melissa Duffy and Tyler Newby, attorneys with the firm Fenwick & West in a September blog post. “The problem is that the payment may be unlawful if made to certain embargoed countries or threat actors.”

That was in response to a Treasury Department warning that “strongly discourages all private companies and citizens from paying ransom or extortion demands. Both they and companies “facilitating ransomware payments on behalf of a victim” risk violating the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA).

It notes that there is “strict liability” — meaning you’re violating regardless of whether you know about the sanctions or not.

A Potential Weapon

Those risks are only likely to grow, as sanctions have proven effective against the exchanges ransomware blackmailers need to off-ramp ill-gotten games, said Jackie Koven, head of cyber threat intelligence at blockchain data firm Chainalysis, according to the Wall Street Journal.

Pointing to sanctions imposed on three cryptocurrency exchanges including Suex — as well as the unprecedented sanctioning of, a mixing service used by North Korean hackers after a $620 million heist from a cross-chain payments bridge, Blender — Koven said: “sanctions have been catastrophic to their business, severely damaging their operations.”

Read also: Tackling Money Launderers Means Shutting Down Financial Crime-as-a-Service

Speaking at a June 7 U.S. Senate Homeland Security and Government Affairs Committee hearing focused on the threats of cryptocurrency-enabled ransomware attacks, she added: “What we saw as a result of these designations, especially against Suex, is that deposits dropped nearly to zero as soon as the designations rolled out.”

Read more: US Lawmakers Take on Crypto Ransom Payments

Both the report rules and more aggressive sanctions regime are part of a fast-growing basket of tools the Treasury Department is using to attack ransomware in its wallet, as doing it at the firewall has not proven very effective.

Right now, the Treasury Department’s strategy is aimed largely at gaining information about the scope of ransomeware and the network of exchanges, mixing services and other companies ransomware hackers use to off-ramp payments that can run into the millions.

See also: Privacy Coin Monero’s Use in Ransomware Fuels Growing Security Concerns