EXECUTIVE SUMMARY:

For the year of 2019, roughly 500,000 targeted ransomware attacks prompted organizations to collectively pay hackers more than $6 billion dollars. In these cases, paying the ransom appeared to be the only means of quickly restoring computers and recovering data.

The big news from the US Dept. of the Treasury’s Office of Foreign Assets Control?

The FBI has always condoned the practice, but their condemnation lacked teeth. The OFAC now has more specific regulations around ransomware payments, and can impart penalties on those who flout the rules.

Said the OFAC, “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating [new] OFAC regulations.”

Across the past few years, the OFAC has imposed sanctions on the most prolific cyber criminal groups, with emphasis on those based in North Korea and in Russia. Businesses that make payments to these sanctioned groups may now see civil penalties, “even if it [the organization] did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by the OFAC,” writes Brian Krebs.

Why now?

The OFAC’s reinforced policies are intended to not only stop the ransomware infinity loop, but also to guard against the potential for ransomware payments to unwittingly finance activities that could place US national security at risk.

For more information about ransomware attacks and the OFAC’s recent announcement, visit the US Department of the Treasury’s website.