In case there was any confusion, the U.S. wants to remind everyone that law is law.
No one is allowed to transact with sanctioned entities, the Treasury Department warned Thursday in an advisory. The Office of Foreign Assets Control, or OFAC, specifically called out victims of ransomware for possible sanctions violations, a first for the federal agency.
The bulletin “officially puts companies on notice,” said Dmitri Alperovitch, cofounder of the Silverado Policy Accelerator, a security-themed think tank. The former chief technology officer for CrowdStrike, a cybersecurity firm, described the action as “a significant shot across the bow to victims, incident response companies and payment facilitating companies,” alerting them their behavior could be criminal.
The Treasury’s insistence on following the letter of the law puts targets of ransomware in a difficult position. In order to recover locked-up data, ransomware-stricken firms often have few options but to meet hackers’ extortion demands—even though doing so by no means guarantees data recovery.
Many organizations prefer to pay up rather than remaining hobbled or risking going under.
“I get the point [of Treasury’s notice] but wonder if the implications of this have been considered,” said Phil Reitinger, president and CEO of the Global Cyber Alliance, a cybersecurity nonprofit group. “What if the victim is a hospital? A city government?”
No organizations are immune to ransomware breaches—and the business landscape is replete with examples of companies caving to hackers’ demands. Cities and hospitals are, indeed, among them.
Reitinger, who is also formerly a Homeland Security Department deputy undersecretary, fears the Treasury’s strict rules may ignore the reality of the situation. “It seems to me those who most ardently oppose ransom payments are those who don’t have to deal with real consequences,” he said.
Garmin ultra soft
Multiple industry insiders told Fortune that recent rule-flouting, and a particularly egregious incident this summer involving Garmin, the GPS tech-maker, spurred the Treasury to issue its advisory.
After suffering a crippling ransomware attack in July, Garmin reportedly employed the services of an incident response firm. The two are said, ultimately, to have paid a multimillion-dollar ransom to a blacklisted, Russian cybercriminal group. (Garmin declined to discuss the matter and Arete did not reply to Fortune’s request for comment.)
Garmin’s case is not unique. Charles Carmakal, chief technology officer of Mandiant, the data breach recovery unit at FireEye, a cybersecurity firm, said he knows of several companies that have paid extortion demands ranging from $10 million to $30 million. Hackers tend to target smaller companies with six-figure demands and larger ones with seven-or-eight-figure demands, Carmakal said.
The frequency of the attacks appears to be the rise. Carmakal says his team is aware of more than 100 organizations currently being preyed upon this month alone, more than double what it was aware of last September.
The intention of the Treasury’s notice “is positive,” Carmakal said, “but it will certainly add more pressure and complexity” to victims seeking to bounce back from such hacks.
All this means more businesses are facing a tough dilemma: Pay up and break the law, or remain knocked offline.
According to the Treasury’s notice, ransomware victims are expected to check its list of sanctioned entities before making any payments. If a payment could run afoul of the rules, companies must submit requests for exemption.
The odds of an exemption are low, however. These license applications “will be reviewed by OFAC on a case-by-case basis with a presumption of denial,” the Treasury notice said.
Plausible deniability is no excuse. A Treasury spokesperson told Fortune that companies could be held liable even if they aren’t aware they’re paying a sanctioned entity. Victims should report incidents to law enforcement as cooperation could be considered a “significant mitigating factor” in possible penalty determinations, the spokesperson added.
Joshua Motta, CEO of Coalition, a cybersecurity insurance startup, said the Treasury’s hardline approach puts ransomware victims “in an even more precarious position” than they were in already.
The difficulty of attributing attacks amid the murkiness of cyberspace adds complexity to the situation. Anyone who paid off the perpetrators of the “SamSam” ransomware campaign in years past might not have initially been aware they were based in Iran, for example. Suspected North Korean ransomware hackers have recently been trying to cover their tracks too.
Because many hackers operate abroad, it can be difficult for U.S. authorities to catch them even when they are identified. “Ironically, the victims of ransomware may well face more severe consequences than the perpetrators,” Motta said.
No negotiating with terrorists
So far, the Treasury has not prosecuted any ransomware victims—or industry partners who help make ransomware payments—for breaching sanctions laws. But some people believe that should change.
Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre, is one proponent of adopting a tougher stance. “If I had one policy card to play in the next year, I would ask for a serious examination of whether we should change the law to make it illegal for organizations in the U.K. to pay ransoms in the case of ransomware,” he recently told the Royal United Services Institute, a British think thank focused on defense policy, according to Bloomberg.
The position has support from some in the cybersecurity industry. Treasury’s warning is “a much-needed step in the right direction,” said Brett Callow, a threat analyst at Emisoft, an anti-malware firm that tracks ransomware.
But, Callow continued, “we’d prefer to see a complete ban on the payment of demands. If the flow of cash stops, the attacks will stop.”