Paying a ransom to a hacker who launched a ransomware attack could result in government fines

Ransomware , which restricts access to infected computers and demands money instead of lifting the restrictions, has become a major problem around the world. The US Treasury warned on October 1, 2020 that 'if you are attacked by ransomware and pay the hacker ransom, you may be fined by the government.'

US Treasury warns cyber insurers payments to hackers may violate sanctions | Reuters
https://www.reuters.com/article/us-ransomware-insurance-idUSKBN26M7J3

Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam — Krebs on Security
https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/

Due to the pandemic of the new coronavirus infection (COVID-19), the demand for remote work is increasing all over the world, and the damage caused by ransomware targeting online systems is increasing. A study by Coveware , which negotiates and advises companies affected by ransomware , found that hackers demanded an average increase of 60% in ransom between the first and second quarters of 2020, or 170,000. It is said that it has reached 8254 dollars (about 18.8 million yen).

It has also been pointed out that the ransomware attack is damaging medical companies that support the development of the new coronavirus vaccine, and in September 2020, a ransomware attack on hospitals will kill patients who were in transit. Things are happening.

The first case of a patient dying as a result of a hospital being hit by a ransomware is reported-GIGAZINE

Regarding such a ransomware attack, the Office of Foreign Assets Control (OFAC) and the Financial Crimes Investigation Network (FinCEN) of the U.S. Treasury Department said, You may be fined by the government. '

The fine will occur if the organization that launched the ransomware attack is a criminal group that has been subject to economic sanctions by OFAC, such as North Korea, Iran, and Russia. OFAC imposes sanctions such as freezing assets related to these criminal groups, so if you pay the ransom for ransomware damage to these criminal groups without the permission of OFAC, you will be 'sanctioned by OFAC. It is said that it may be fined up to 20 million dollars (about 2.1 billion yen) for being considered as 'providing funds in violation'.

It's hard for ransomware-affected companies to know if an attacker is subject to OFAC sanctions, but Ginger Faulk, a partner at Washington, DC law firm Eversheds Sutherland, said. He pointed out that a person could be fined without knowing the identity of the hacker. Under OFAC regulations, even if you are not aware that you are dealing with a sanctioned party, you will be held liable for civil liability.

Many law enforcement agencies believe that not paying a ransom to a hacker is a deterrent to ransomware attacks, but quite a few companies are willing to pay a ransom to resume their normal business. In addition, an increasing number of companies specialize in negotiating ransom terms and providing advice.

However, Fabian Wosar, CTO of computer security company Emsisoft, points out that the Treasury's recommendations do not affect many ransom brokers. Many agents are already familiar with OFAC sanctions and their implications, and are contacting OFAC personnel to identify risks. 'Hackers are likely to be subject to OFAC sanctions.' If it is judged that it is, the negotiation agency is often refused. As such, Wosar said the recommendation is essentially a warning to companies that are not cooperating with law enforcement agencies or negotiating agencies.