Tag Archives: OFAC

Is It Okay to Pay a Ransomware Demand?

The FBI has said for years that paying a ransomware ransom was a bad idea. It encourages the bad guys and funds their bad guy activities.

But last week the decision became harder when the Treasury department said that they were going to add ransomware organizations that are connected to terrorist organizations to the list of companies that Americans are not allowed to do business with, called the Specially Designated Nationals or SDN. This list is managed by OFAC, the Office of Foreign Assets Control.

By doing this, it makes paying ransom to these organizations a federal crime, punishable by up to 20 years in jail and/or a $1 million fine or civil penalties of up to $55,000.

The penalties can be levied against companies trying to get their systems back, law firms, insurance companies, banks, security service providers or anyone else who is in the food chain between the hackers and the victims.

While most people understand that paying ransom is not a good idea, if the choice is between paying the ransom or watching your firm close, many companies hold their noses and pay the ransom. A recent survey of 5,000 IT pros found that 26% did pay a ransom; virtually all of them got their data back. Company execs have to keep its customers, employees, investors and the general public. Not an easy call to make.

One of the challenges if you do plan to pay the ransom and do not want to spend the next 20 years as a guest of Uncle Sam (which is unlikely, but possible), is how do you figure out whether the particular hacker that you are paying is on the Specially Designated Nationals list. After all, they don’t exactly give you their Social Security Number to look up.

Another challenge that executives face is ransomware 2.0 – the version of ransomware where the hackers steal your data and threaten to publish or sell your information if you don’t pay the ransom. There is no good defense against this form of ransomware.

Most insurance policies have a clause that says that they will not facilitate a crime, so if it is determined that paying the ransom may be a crime, most insurance companies will decline to do that.

However, that doesn’t get the insurance company off the hook – they still need to make you whole, even if doing so if more expensive for them.

Now would be a good time to talk to your insurance provider and ask them how they plan to handle this situation. In the case of OFAC, even if you break the law unintentionally, you are still guilty. The burden of proof is on you.

The feds would like you to share the information about ransoms that you paid, but for many companies, the main purpose of paying the ransom is to keep things quiet. Even if doing so is illegal, which most of the time, it is (illegal). Telling the FBI that you paid a ransom and didn’t notify either the authorities or the victims does not seem like a plan that would be viewed favorably by law enforcement.

We are seeing a lot of attacks against healthcare. Forcing hospitals, for example, to shut down or divert ambulances can cause patients to die. In addition, even if the hospital can continue to operate, its operations will always almost cause care to patients to be degraded, even though the hospitals will say everything is fine – because they do not want to be sued. All of this in the time of the worst pandemic in 100 years.

Unfortunately, other than keeping the hackers out, there are no good answers. I recommend working hard to keep the hackers out. Credit: The Record

What is 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V ?

Some of you probably figured out that it is a cryptocurrency (AKA Bitcoin) wallet.  But there is something that makes this bitcoin wallet different from the tens of millions of Bitcoin wallets out there in the wild.

Making a payment to this Bitcoin wallet may classify you a terrorist and subject you to arrest and prosecution.

But, you say, you were hit by a ransomware attack and you need your data back.

Sorry, says the government, you are still a terrorist.

Enough, you say, with this riddle.  Explain what the **bleep** is going on.

OK, here is the story and most of it is not news to anyone who has worked in financial services.

The U.S. Treasury Department has an office (AKA Department) called OFAC or Office of Foreign Asset Control.  Predecessors to the current OFAC department have around at least since the 1940s.

The idea behind OFAC is to make sure that U.S. businesses and citizens do not send money to terrorists.  In fact, when I was in the title and escrow business, we checked each and every payment, both inbound and outbound to make sure that we were not accepting money from terrorists nor sending money to terrorists.  We had special software to do this since we made tens of thousands of payments a day.

OFAC manages a list of what they call Specially Designated Nationals (SDN) or, basically, terrorists or people that help them.  As of today, that list is contained in a PDF file that is 1254 pages long.

As a way to try to squeeze terrorists, the government has started adding cryptocurrency wallet addresses to the SDN list.  The government expects that every time you make a cryptocurrency transaction, you check to make sure that the recipient is not on the SDN list.  If you use a service like Coinbase or one of its competitors, they do that for you.  If you arrange for the Bitcoin transfer yourself, they expect you to do it.

Since the Bitcoin blockchain (unlike many other blockchains) is publicly visible, it is pretty easy for the government to look at transactions and see if anyone in the U.S. is sending money to that wallet.  Since transfers are relatively anonymous if done carefully (like you only use that wallet for one transaction and other restrictions), the government may or may not try and find you if you violate the OFAC rules, but if you are a money handler, they will definitely come after them.  If you put money into a Bitcoin wallet from a bank account to pay the hacker, anonymity is totally gone – FYI.

Penalties, recently, for violating OFAC rules varied from a low of $87,000 to a high of $53,966,000 .  Big range, although $87,000 is still a large number.

There is a mechanism for requesting a waiver to send money to a person on the SDN list (called a blocked person or blocked entity), but I doubt the process is simple or quick, two things that are probably important when you are trying to unlock your data.

The simple solution is don’t get attacked by ransomware (easier said than done) or only get hacked by friendly hackers or hope that your attacker is not on the SDN list.  Otherwise, check and see if the person you are paying is on the bad guy list. 

We live in interesting times.  Information for this post came from Bleeping Computer and information on OFAC and the SDN list can be found here.