'Facilitating' ransomware payments could land companies in hot water

In an effort to tamp down the ever-enlarging ransomware threat, the U.S. Department of the Treasury is taking a stiffer stance against companies, including cyber insurance providers, making or “facilitating” an extortion payment.

The department’s Office of Foreign Assets Control (OFAC) put out an updated advisory to underscore the possible sanctions associated with making ransomware payments and the violations that might arise when dealing directly with malicious actors.

The bulk of the advisory deals with facilitating payments, whether known or unknown, to individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked individuals, and those covered by comprehensive country or region embargoes such as Cuba, the Crimea region of Ukraine, Iran and North Korea. The risk of sanctions, which can result in civil penalties, also covers those facilitating payments on behalf of a victim.

In addition to repeatedly stressing its position against giving in to demands, the department also encouraged financial institutions and other companies to put a risk-management plan in place to mitigate exposure to sanction-related violations.

Companies that implement or improve their cybersecurity practices will be considered as having taken “significant” steps to mitigate these risks should they face enforcement action. Contacting a government agency or law enforcement to self-report a ransomware attack and possible payment to a sanctioned entity will also be considered a mitigation effort should enforcement become necessary, according to OFAC’s advisory.

Treasury cracks down on crypto exchange

The department has already shown its teeth on the matter, designating a virtual currency exchange for its role in enabling financial transactions for hackers. The Treasury reported that records from SUEX OTC, S.R.O, the crypto exchange, showed more than 40% of its known transactions involved illicit actors.

SUEX processed transactions involving at least eight ransomware variants, according to the department.

Since the designation has come, all SUEX property and interests subject to U.S. jurisdiction have been blocked as are any entities it controls 50% or more of. Further, U.S. citizens are prohibited from engaging in transactions with the company. Financial institutions and those found engaging in business with SUEX are open to sanctions and further enforcement actions, the Treasury reported.

“Ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors,” Treasury Secretary Janet L. Yellen said in a release. “As cybercriminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter and prevent ransomware attacks.”