Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

Krebs on Security: Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today. In its advisory, the Treasury's Office of Foreign Assets Control (OFAC) said "companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations." As financial losses from cybercrime activity and ransomware attacks in particular have skyrocketed in recent years, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them. A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

What about the BANKS do they get fines for there!

[Joe_Dragon]

What about the BANKS do they get fines for there parts?

Re:

[thereddaikon]

Did you read TFA? It said financial institutions.

Re:

[gtall]

What about the alleged administration do you not understand? They are only threatening the banks, they won't actually follow through unless the banks do not cough up something to the alleged president.

Re:

[thereddaikon]

Ah I see, you are an insane person who references words you never actually said.

Re:

[rskbrkr]

What about the BANKS do they get fines for there parts?

It is clearly stated in the summary that banks are subject to fines. Banks are also frequently subject to regulatory orders, including cease and desists, if they have deficiencies with their Bank Secrecy Act / Anti-Money Laundering practices.

"companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands bu

Evil Corp

[olsmeister]

Ha! Someone has a sense of humor....

Re:

[account_deleted]

Comment removed based on user account deletion

Re:How to manage ransomware finances.

[Lije Baley]

"Spend a portion of that money on insurance." FTFY.

And the insurance will require security

[raymorris]

And the insurance will require that you spend some on security.
Which should be cheaper, ling term, than constantly dealing with malware and crap.

Re:

[Lije Baley]

True, but if competition in that sector is normal, they will only require those measures which are determined necessary by their actuaries, as opposed to the voodoo-determined security procedures some companies currently suffer with. Certainly they will need to provide reasonable protection and training around malware and crap, e.g. phishing -- I was pretty much assuming that was already a baseline.

Re:

[sheramil]

Spend it on backups.

Re:

[bloodhawk]

awful advise. Spend it on offsite backups, BCP, insurance and then what's left security. Even the best security has holes in it, most of them are your employees, you need to be a in a position to recover.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bloodhawk]

you would be surprised how many places that have backups NEVER test them. backups and BCP are not part of cybersecurity. They are about recovery (that could be a recovery from a security incident, or maybe a natural disaster or fire or other incident). They need to be considered seperately from security (though security plays a part in their definition.

Talk about a rock and a hard place!

[SuperKendall]

So all your systems are unlocked, but if you pay the 100k ransom to fix it quickly you may face a much large fine later, and no real way to tell quickly if that will happen or not...

Man, at some point if you squeeze hard enough companies might actually start taking computer security seriously!

Nah.

Re:

[awwshit]

Or companies just might move somewhere with less stupid laws.

Damned if you do damned if you don't

[bob8766]

This sounds like a good way to incentivize businesses to not report Ransomware attacks at all.

Re:

[Presence Eternal]

I suspect that if Garmin spends five hundred thousand dollars worth of bitcoin on earwig repellent questions will be raised.

Re:

[140Mandak262Jamuna]

There will be additional fines for not reporting ransomware attack.

At this point the company is vulnerable to black mail for not reporting ransomware attack

Whistle blowers too stand to get a windfall. So once your company data is compromised by a ransomware attack, the company should be dead. All the C Suite compensation packages rendered null and void. The assets of the company divvied up among the other companies that actually had security.

Only when there is a chance CSuite will lose it all, there wi

Re:Damned if you do damned if you don't

[Hentes]

Most ransomware attacks are pretty hard to hide. If they don't disrupt the daily operation of the business there's no incentive to pay the ransom.

Re:

[bloodhawk]

how do you hide something that is literally destroying your business with everyone working their knowing it is happening? This is exactly what the attackers rely on, people pay because it is literally costing them their busines.

Re:

[Anon42Answer]

If they are publicly traded company or regulated, then not reporting would be criminal.

Shoot to win

[AndyKron]

What happens when you're between a rock and a hard place?

Already Happening in the UK

[ytene]

A friend of mine owns a private dental practice in the UK...

He earned his medical degree and completed the additional years of dentistry training at Glasgow University in Scotland, and about 3-4 years ago he was chatting with another dentist who had graduated in the same class (my friend is the one in the class all the others visit for the check-ups and work). He learned in the process that his friend's business had been hit by ransomware.

The business had been crippled, so this other dentist paid the ransom [after confirming that the crooks did actually provide unlock keys] and recovered his data. Because this guy was an honest citizen, he took all the details, including photographs of the ransom message, screen shots of the payment and recover process, to his local police station. The desk officer was fascinated as they hadn't come across anything like this being reported before.

Three days later the same officer turned up at the dental surgery with bad news. "I'm terribly, terribly sorry about this, Sir. I'm afraid I'm here to arrest you and take you to the station where I'm instructed to charge you under the "Proceeds of Crime Act", because you have voluntarily admitting providing funds to an identified criminal gang."

This other dentist was duly taken to the station, charged, released on police bail, then had to go through the considerable time, trouble and expense of hiring legal counsel. They decided to go to court to appeal the charge, lost, and the fine was [I cannot remember the amount now] eye-watering.

And that's the modern justice system for you: treat the victims like criminals.

Re:

[LenKagetsu]

Though I despise it, we must not only prevent crime, but punish those who contribute to it. It sucks that it happened, but this is a fairly new phenomenon and it will take a long time for all the rough edges to be cleaned out. I personally see it as a fine for not taking proper measures with your data. To allow someone to simply pay these ransoms opens up a few shenanigans of its own. For instance, you can write off losses relating to crime on your taxes in the US, it would be a major tax evasion loophole a

Re:

[Rhipf]

If you are mugged and the thief gets away with your purse/wallet are you also subject to arrest since you provided funds to a criminal gang/individual?

Re:

[shentino]

No, there's a difference between you giving it and them taking it, plus there's the separate factor that being mugged at gunpoint puts your life on the line and that trumps the criminal assistance aspect.

Re:

[Britersen]

Well in this case the corporation's life was on the line. I wonder if the argument could have been made that the dentist himself didn't make the payment, the dental corporation did as a business expense.

Re:

[LenKagetsu]

Unlike America we don't consider companies to be people.

Re:

[ytene]

"Unlike America we don't consider companies to be people."

This is factually wrong. The UK structure of a "Limited Company" is the legal equivalent to the US structure of an "Incorporated Company". What we would call "Inc" in the US is called "Ltd" in the UK.

Re:

[Rhipf]

So if you get mugged and willingly give up your wallet/purse instead of getting hit/shot before giving it up would THEN make you complacent in the crime? There is some data (e.g. medical data) that if encrypted by ransomware may also put your (or others) life in danger also.

Re:

[lsllll]

Better yet, if someone kidnaps your kid and wants 100K to release the kid, do you not pay? And if you pay, are you subject to arrest? What if you went through the cops and the kidnapper got a hold of the money anyway and ran away, under the watchful eyes of the cops? Are you still subject to arrest?

Re:

[ytene]

This is false equivalence.

Suppose the dentist had gone to the local police station and said, "A group of unknown criminals, who operate somewhere on the internet and who may not be UK nationals, have maliciously deployed malware on the computers that run my business such that I am not able to operate. Can you help me recover the key to unlock my data?"

The reply would have been "No." Not only because that would unlikely be within the remit of the local police, but because the police would only have jur

Re:

[shentino]

Normally I'm not ok with victims being treated like criminals.

If they were passive victims I'd take your point, however by coughing up the ransom and thereby making the crime profitable they are effectively making themselves accomplices in the same crime where they are the victim, as sad as it is.

Mind you the real bastards in the situation are the cyberterrorists taking the data hostage in the first place.

Re:

[lsllll]

however by coughing up the ransom and thereby making the crime profitable they are effectively making themselves accomplices in the same crime where they are the victim, as sad as it is.

I wonder if you'd have the same stance if your daughter was kidnapped and held for ransom.

Re:

[Anubis IV]

I see both sides on this one. In many regards, the dentist's situation is no different than if he had handed over his wallet during a mugging: his livelihood was being threatened, so he felt like he had no choice. On the other hand, if an entire nation practices "we don't negotiate with criminals", whether voluntarily or through enforcement actions such as these, it stops the cycle of crime and makes everyone in that nation significantly less attractive to criminals because they know they'll be unlikely to

Re:

[gweihir]

There is also another element were he is at fault: You can be prepared for a ransomware attack and then you get up and running again from off-line backups, no payments involved. Any halfway professional IT operation is able to do that and it is not regarded as optional by any halfway professional IT staff. He chose to do this cheaply and insecurely. As to your wallet, you really need that and there is no sound alternative.

Re:

[gweihir]

British justice is badly broken. Where is the public interest in victimising the unfortunate dentist further?

That is obviously to prevent others from doing what he did, namely making a crime profitable.

Re:

[gweihir]

And that's the modern justice system for you: treat the victims like criminals.

It is nowhere as simple as that. For one thing, he contributed to the perpetuation of that type of crime. For another, he operated critical IT infrastructure (for him) without adequate security and disaster preparedness. In a very real sense, he generated the opportunity for the crime. And hence he _is_ part of the problem.

Re:

[gravewax]

Though it is harsh, he definitely DID do something wrong. It is not ok to payoff criminals even if you then report it later to the police what you did.

Punishing the victim

[BitterOak]

What's next? Rape victims who get pregnant and give birth will be charged for "spreading criminal genes into the population"?

Re:Punishing the victim

[awwshit]

Probably, right after they vacate Roe v Wade and require rape victims to give birth.

Why it is totally obvious

[AlanObject]

Because the best way to help a victim of injury is to pile more injury on top of it.

Re:

[gweihir]

If the victim did it to themselves and is harming others in addition, yes. And that is pretty much what is going on here. Ransomware preparedness is non-optional in any halfway professional IT operation.

At least ban insurance cover

[jaa101]

The worst aspect of these cases is when companies are more willing to pay out because their insurance covers some or all of the blackmail costs. Making it illegal for insurance companies to cover such payments would be a good start. It would make it harder for companies to pretend that insurance was a viable alternative to investing in security.

Under economic sanctions

[PPH]

Well then, I'll make damned sure that anyone blackmailing me presents proper identity credentials before I pay. So I can check them against Treasury and State Department sanction lists. Yes sir. There is no way I would just make payments blindly through anonymous e-mail services instead of insisting on a proper Taxpayer Identification Number so as to report the transfer on a 1099.

It's interesting that this is an OFAC [wikipedia.org] issue. Like there aren't a bunch of domestic organizations funding themselves by blackmail

Cyber Command

[BarryHaworth]

This sort of thing makes me think that the US should have set up a Cyber Force (or Cyber Guard or whatever) to deal with these sorts of threats, rather than a Space Force.

Re:

[Khyber]

We had one, under Obama. Trump all but destroyed that, and rescinded several related orders, all because they were done by a black president.

Re:

[BarryHaworth]

Did you? I remember thinking that you did, then being surprised when the Space Force was being discussed as the "Sixth Branch of the US Armed Forces" to discover that the other five were Army, Navy, Air Force, Marines and Coast Guard - not a Cyber Force in sight.

Surely an arena of such huge commercial importance and affecting such a large number of people needs to be protected.

Wait till ransomware hits voting machines

[schwit1]

https://twitter.com/i/status/1... [twitter.com]