Companies traumatised by ransomware could face fines of up to $20 million if they pony up to extortionists already listed on financial crime sanctions lists, the US Treasury Department has warned.
In an advisory, the Treasury’s Office of Foreign Assets Control, states: "Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."
Ransomware attacks have skyocketed during the pandemic, with a number of high-profile perpetrators tied to state actors or big criminal syndicates. The North Korean Lazarus Group and Russian cybercrime outfit Evil Corp. are among a number of organisations that have already been placed on US sanctions lists, making it illegal to transact with them.
The Treasury states that businesses who pay up to sanctioned crybercrime organisations without first receiving a special dispensation or a licence could face fines of up to $20 million.
"Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims," sates the Advsiory. "For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks."