U.S. Treasury Department Warns Ransomware Victims: Payment Could Violate Sanctions

By James Hamilton

On October 1, 2020, the Office of Foreign Assets Control (OFAC) at the Department of the Treasury issued an advisory on potential legal risks that victims of ransomware might face if they comply with the ransom demand. In particular, OFAC warns that ransomware payments may run afoul of regulations that prohibit financial transactions with designated entities. As a result, the mere act of paying the ransom, without first obtaining a license from OFAC, could subject the payor to civil or criminal liability.

Ransomware is a type of malicious software, or malware, that prevents victims from accessing their files. After the victim is infected with the ransomware, the attacker demands payment of a ransom in exchange for restoring the victim’s access to their files. Typically, ransomware attackers demand payment by digital currency, such as Bitcoin, Ethereum, or other cryptocurrencies.

The economic damage wrought by ransomware is difficult to estimate. The average cost of a data breach, including remediation and ransom payments, is estimated to be around $3.86 million. Although ransomware typically exacts its costs in terms of ransoms paid, consultants hired, and productivity lost, a recent ransomware incident in Germany demonstrates that the stakes can be much higher. For about a week in early September, a hospital in Düsseldorf was forced to turn away patients after ransomware disabled the hospital’s computer systems. One patient in critical condition had to be sent to another hospital 19 miles (30 kilometers) away, but the patient died before she arrived at the other hospital. The incident is being reported as the first known death to be caused by a cybersecurity breach. German authorities are investigating the death as a criminally negligent homicide.

For victims of ransomware, a ransomware payment may appear to be a simple and cost-effective way to regain access to critical data and systems quickly. However, the reality may not be so simple. An international survey of ransomware victims conducted by British security company Sophos Group discovered that only about one in four victims of ransomware actually pay the ransom. The same survey showed that paying the ransom actually results in the cost of recovery doubling on average from $732 thousand to $1.4 million. Sophos determined that this counterintuitive result stems from the fact that even after paying the ransom, IT personnel still have to go through the painstaking effort of actually recovering lost files and restoring downed systems. The victims who do not pay the ransom instead restore data from backups or opt to continue business without the data. For these victims, the time and effort to restore backup data may be comparable to the effort of recovering files after paying the ransom, but these victims have foregone the expense of the ransom. The Sophos report also notes that only a small percentage of victims did not get their data back after they paid the ransom. This high likelihood of data recovery after a ransom payment enhances the attractiveness of ransom payments for businesses that do not have adequate data backups.

There is a burgeoning industry in cybersecurity insurance. Insurers now offer coverage for both first-party losses (business interruption, data restoration) and third-party losses (liability for data breaches, interruption of client access). Even if a company does not have a specific cybersecurity insurance policy, a general business insurance policy might cover the cost of remediation after a ransomware attack. However, insurers often refuse to pay such claims. In at least one case, a ransomware victim prevailed in court over its insurance provider after the insurer denied the victim’s claim for reimbursement of recovery expenses. The district court determined that the business insurance policy’s coverage for “physical loss or damage to” the victim’s computer systems included the type of damage caused by a ransomware attack.

In response to the mounting costs of cybersecurity incidents, in 2019, the insurance industry released its first list of designated products that would potentially qualify users for “enhanced terms or conditions” in their cybersecurity insurance policies. Previously, the insurance industry promulgated the Insurance Data Security Model Law, which is intended to promote better data protection within the insurance industry. Proponents of the model law, including the U.S. Treasury Department, suggest that widespread adoption of the law would help mitigate damages due to data breaches by requiring insurance providers to investigate and report cybersecurity events that affect the insurer to the state insurance commission. The model law, which only imposes data protection requirements on insurance providers, is intended to prevent compromise of consumer data held by the insurers. However, it does not take much imagination to predict that the standards applied to the insurance industry would eventually become conditions for qualifying for insurance coverage. As of June 2020, only 11 states had adopted the model law.

According to OFAC’s ransomware advisory, a number of ransomware attackers have been designated under the U.S. cyber-related sanctions program. The cyber-related sanctions program was implemented by President Obama in 2015 through Executive Order 13694, and subsequently expanded in 2016 under E.O. 13757. These executive orders were promulgated under the authority of the International Emergency Economic Powers Act (50 U.S.C. §§ 1701–1708) and the National Emergencies Act (50 U.S.C. §§ 1601–1651). Under E.O. 13694, as amended, U.S. persons are prohibited from engaging in “transactions” with entities designated by the Secretary of the Treasury that have engaged in specified international activities that harm U.S. national security, foreign policy, economic health, or financial stability. Prohibited transactions include transferring, paying, exporting, withdrawing, or otherwise dealing in the property or interests in property of designated entities. Violations of the sanctions program can result in civil monetary penalties of $250,000 or more or criminal penalties including fines of up to $1 million and imprisonment for up to 20 years.

Businesses that want to conduct transactions — including ransomware payments — with entities designated under a sanctions program can apply for a license from OFAC. A license issued by OFAC can be a general license or a specific license. A general license authorizes particular transactions for all U.S. persons, whereas a specific license applies only to the specific licensee. As of the time of this publication, OFAC has issued only one general license, General License No. 1A, which allows transactions with the Russian government necessary for importation of Russian information technology products. Ransomware victims who want to pay a ransom to a designated entity will need a specific license that permits the transaction. However, OFAC cautions that license applications that propose to pay a ransomware attacker will face a “presumption of denial.” A searchable list of entities subject to sanctions is available on the OFAC website.

Of course, the best approach for mitigating the effect of ransomware is to avoid infection in the first place. Malwarebytes, an American Internet security company, recommends a defense-in-depth approach: invest in cybersecurity software with real-time protection against malware; regularly back up data securely; ensure systems have the latest software updates; and educate staff on avoiding malware attacks.

The threat of ransomware is not likely to abate anytime soon. Businesses should follow industry best practices to avoid infection and protect business and customer data. It is also a good idea to review business insurance policies to determine the appropriate level of coverage in case of a ransomware or other cybersecurity incident. Businesses who are victims of ransomware should ensure they understand all of the potential consequences before they pay any ransom.