Russia’s sanctions complicate paying ransomware hackers

The almost uninterrupted series of new US sanctions imposed in an attempt to stop Russia’s war machine has complicated events for companies facing their own external threat: ransomware attacks.

The increasingly long lists of sanctioned devices pose risks to U.S. companies that want to pay to get their systems online again after an attack, experts said.

Ed McNicholas, co-head of cybersecurity practices at law firm Ropes & Gray LLP, said it has recently become “much harder” to ensure that ransomware payments do not go to sanctioned Russian entities.

Ed McNichola’s Co-Leader of Cybersecurity Practices at Ropes & Gray LLP


Photo:

Ropes & Gray LLP

“The overlap of the emergence of ransom and then these extensive sanctions against Russia has created something of a firestorm in terms of the ability to pay ransoms,” he said.

Traditionally, the list of sanctioned entities has mostly been relevant to those in financial services, but recent increases in ransomware attacks have meant that cybersecurity experts have had to do their best to ensure that ransom payments do not go to blacklisted entities. .

Efforts to stay up-to-date have become more intense as the United States has steadily piled up sanctions, said Bill Siegel, CEO of Coveware Inc., which helps companies handle negotiations and other work related to cyber-blackmail attempts.

“With the war, it has become incredibly dynamic where the whole landscape can change or change when you wake up in the morning,” said Mr. Seal. “There are more sanctions every single day.”

Ransomware attacks are increasing in frequency, loss of victims is skyrocketing, and hackers are moving their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the United States can do to combat them. Photo illustration: Laura Kammermann

U.S. law imposes so-called strict liability on anyone who makes a payment to a sanctioned entity – meaning that a failure to present sanctions does not absolve the paying party.

So far, U.S. law enforcement officials have not publicly targeted a company to pay a ransomware payment to a sanctioned entity, but several experts have said that some form of enforcement activity is likely.

The U.S. Treasury Department’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network have both highlighted ransomware payments in recent months. OFAC said in September that it “strongly discourages” extortion payments and reiterated that it can intervene against payers.

Matt Lapin, partner at law firm Porter Wright Morris & Arthur LLP


Photo:

Click by Courtney

“It’s likely that OFAC will seek to set an example,” said Matt Lapin, a partner at law firm Porter Wright Morris & Arthur LLP, which specializes in international transactions and international trade law.

Mr. Lapin said he believed OFAC would most likely intervene against a ransomware-paying company that had not performed appropriate due diligence on its payment or failed to communicate proactively with law enforcement or OFAC itself.

In March, FinCEN warned financial institutions to watch out for Russia-related ransomware attacks, and OFAC earlier this month sanctioned a “darknet” market and cryptocurrency exchange suspected of involvement in ransomware payments.

To prevent companies from inadvertently violating the law, Coveware runs information collected in connection with attacks through a series of analyzes, collecting data on behavior patterns, the code used and other forensic artifacts, said Mr. Seal. The company is also trying to ensure that the attacker is a financially motivated criminal rather than a state-affiliated actor, he said.

Coveware refuses to facilitate a payment to a presumed sanctioned entity – anyone involved in facilitating a payment to a sanctioned entity may be found liable for violating the law – but has prompted customers to ask to ignore sanctions, Mr said. . Seal.

Even without an enforcement action, the mere possibility of an action by the OFAC enforcing sanctions may be enough to complicate a ransomware payment. Civil sanctions can range from thousands to millions of dollars.

Insurance companies may be reluctant to make payments if there is any indication of the involvement of a sanctioned entity, said Roberta Sutton, a partner at Potomac Law Group PLLC, whose practice focuses on insurance recovery and risk management.

After one of Mrs Sutton’s customers, a company she refused to name, which provides information technology-related services, made a ransomware payment to release its systems after an attack in June 2020, the company has not been paid by its insurance company, she said . A third party not involved in the investigation wrote an article suggesting the attack could be attributed to a sanctioned entity, prompting the insurance company to halt the $ 1 million payment, Sutton said.

“It’s so frustrating,” she said. “A million dollars is pretty big for this client. It has had to encourage its investors for more capital.”

The insurance company, which she also declined to name, contacted OFAC for guidance but has not yet received a response, she said.

Covewares Mr. Siegel said companies should be proactive in strengthening their security and running table exercises to try to avoid being taken by surprise by an attack.

“Most companies are approaching this risk for the very first time when the incident happens,” he said. “Suddenly, during this horrific incident, the company is down – oh, and by the way, there’s this terrible risk of this objective liability problem with one of the scariest regulators out there. They’ve forced to understand it under duress.”

More from Risk & Compliance Journal

Write to Richard Vanderford at richard.vanderford@wsj.com

Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Leave a Comment

Your email address will not be published.