U.S. Treasury Warns Cyber Insurers Against Paying Ransomware Demands

The U.S. Treasury Department is warning that individuals or businesses that help facilitate ransomware payments may be violating anti-money laundering and sanctions regulations.

The warnings came in a pair of advisories, one from the Financial Crimes Enforcement Network (FinCEN) and the other from the Office of Foreign Assets Control (OFAC).

“Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes,” said Deputy Secretary Justin G. Muzinich. “Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.”

FinCEN addressed companies that provide protection and mitigation services to victims of ransomware attacks, including digital forensics and incident response companies and cyber insurance companies that facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for convertible virtual currency (CVC), and then transferring the CVC to criminal-controlled accounts.

“Depending on the particular facts and circumstances, this activity could constitute money transmission,” the advisory says.

Putting Municipal Ransomware Attacks— and Cyber Insurance —in Context

Entities engaged in money services business activities are required to register with FinCEN, and must file suspicious activity reports. Persons involved in ransomware payments must also be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.

A financial institution is required to file a suspicious activity report “if it knows, suspects, or has reason to suspect” that a transaction involves $5,000 or more in funds or other assets and involves funds derived from illegal activity.

“Reportable activity can involve transactions, including payments made by financial institutions, related to criminal activity like extortion and unauthorized electronic intrusions that damage, disable, or otherwise affect critical systems. SAR obligations apply to both attempted and successful transactions, including both attempted and successful initiated extortion transactions,” the advisory says.

FinCEN’s advisory provides information on how insurers and others should effectively report and share information related to ransomware attacks.

Sanctions Violations

OFAC issued an advisory highlighting the sanctions risks associated with facilitating ransomware payments. OFAC said it has imposed and will continue to impose sanctions on those who “materially assist, sponsor, or provide financial, material, or technological support” for ransomware activities.

OFAC has designated numerous malicious cyber actors under sanctions programs. Individuals and organizations are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by embargoes.

OFAC may impose civil penalties for sanctions violations based on strict liability. Thus persons subject to U.S. jurisdiction “may be held civilly liable even if it did not know or have reason to know” it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

OFAC said it encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services,” the government said.

OFAC urged victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.

OFAC provides its reasons for opposing the payment of ransoms including that ransomware payments may enable criminals and adversaries to profit and advance their illicit aims. For example, they could be used to fund activities adverse to national security. Ransomware payments may also embolden cyber actors to engage in future attacks, according to OFAC.

Elsewhere in the federal government, the FBI has long advocated against paying a ransom, in part because “it does not guarantee an organization will regain access to its data.” But it has also recognized that some organization will decide to pay. In such cases, the FBI urges organizations to report ransomware incidents to law enforcement.

‘Unbearable’ Problem

Charles Carmakal, senior vice president and chief technology officer with FireEye Mandiant, a global cyber and national security firm, called Treasury’s advisory “well-intentioned,” but said it will add more “pressure and complexity to victim organizations” trying to recover after a security incident.

“OFAC already provides a list of sanctioned entities. Victim organizations are required to check the list prior to paying extortion demands,” Carmakal said. However, the true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions, he said. “Sometimes victims pay threat actors before they are sanctioned.”

Carmakal called the ransomware and extortion problem “unbearable” and said Mandiant is aware of more than 100 organizations where ransomware operators had network access in September alone, more than double what was known in September of last year.

He said threat actors may ask for money for a decryption tool, a promise to not publish the stolen data, and a walkthrough of how they broke into the network. The extortion demands are in the 6-figure range for smaller companies and 7-8 figures for larger companies. Mandiant is aware of several victim organizations that paid extortion demands between $10 million and $30 million, he added.

The number of ransomware attack notifications against insurance clients increased by 131 percent in 2019 and the funds demanded by the attackers surged along with the counts.

According to a recent report from specialty insurer Beazley’s Breach Response (BBR) Services, cybercriminals have been asking for seven- and even eight- figure sums in some cases.

The two most common forms of attack to deploy ransomware are phishing emails and breaching poorly secured remote desktop protocol (RDP). RDP enables employees to access their work computer desktops or company’s primary server from home with the press of a button.

Insurance executives note that insureds, not insurers, make any decision whether to pay a ransomware demand. “[A]lthough no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransoms against the risk of operational disruptions that could last weeks or months and cost far more,” wrote insurance broker Marsh in a commentary last year entitled, “How Cyber Insurance Supports the Fight AGAINST Ransomware.”