The Treasury Department is asking organizations not to pay off malicious actors to terminate ransomware attacks without carefully considering possible national security threats – and said it may implement penalties for organizations that choose to pay ransom to their attackers.
Ransomware attacks install malware into IT systems preventing users from accessing data unless a fee – or ransom – is paid. While paying the ransom seems like an easy out, the Treasury Department cautioned that a payment could encourage illicit actors to continue launching attacks for profit. Paying a ransom also does not guarantee a victim will regain access to its information.
In an Oct. 1 advisory, Treasury continued, “Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” Put simply, paying ransom to malicious actors could end up funding national security threats.
For organizations that choose to pay to get their data back, Treasury said its Office of Foreign Assets Control (OFAC) may charge civil monetary penalties to discourage parties from ransom to attackers. Individuals and organizations in the United States are prohibited from engaging in transactions with entities on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List and those covered by embargos. Any ransomware transaction that violates this restriction may be subject to “civil penalties for sanctions violations based on strict liability,” the agency said.
The Treasury Department recommends that financial institutions and other companies implement a risk-based compliance program to mitigate possible violations, including in the wake of a ransomware attack. “The sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction,” the agency suggests.