The US Treasury Department has published guidelines[1] today to be used in special circumstances where a ransomware payment may break US sanctions.
The guidelines apply to situations where an individual or company has had its data encrypted by a ransomware gang that is either sanctioned or has affiliations with a cybercrime group sanctioned by the US Treasury in years past.
The Treasury says that making a ransomware payment in this type of situation may violate Treasury sanctions and incur a legal investigation against the entities involved, which could be:
- The victim;
- The financial institutions which processed the ransom payment; and
- Intermediaries such as cyber-insurance firms and companies involved in digital forensics and incident response.
US officials say that in these situations, victims should contact the Treasury's Office of Foreign Assets Control (OFAC) before deciding on making the payment.
"OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus," the agency said today.
Companies who contact law enforcement agencies when they get infected will also be looked favorably upon "in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus."
According to the OFAC's advisory, the following individuals/groups have been sanctioned, and ransomware payments to these groups, directly or to a nexus, are considered to be a sanctions violation:
- Evgeniy Mikhailovich Bogachev[2], the developer of the now-defunct Cryptolocker ransomware
- Ali Khorashadizadeh and Mohammad Ghorbaniyan[3], the two developers behind the now-defunct SamSam ransomware
- The Lazarus Group and two sub-groups, Bluenoroff and Andariel[4], for their links to the WannaCry ransomware
- Maksim Yakubets and the EvilCorp group[5] for their links to the Dridex trojan and its malware distribution emporium, which also included