Last year, before the onset of the Russia-Ukraine war, nearly 75 per cent of cryptocurrency payouts for ransomware went to Russia, according to a study conducted by Chainanalysis. Let that sink in a moment. Then consider the legal ramifications of paying those ransoms now that Russia is a sanctioned country.
To Kurtis Minder, CEO of digital risk protection firm, GroupSense, these new sanctions mean he’ll be forced to turn down more ransomware victims seeking response and negotiation services or else risk running afoul of a growing list of sanctions issued by the Treasury Department’s Office of Foreign Assets Control (OFAC).
As opposed to the specific OFAC sanctions list, Russian sanctions are wide and ambiguous, making them difficult to abide by without proper intelligence and context, said Minder, who’s negotiated hundreds of ransomware payouts over the past two years.
“The U.S. government is sanctioning entities within Russia at an increasing rate. So even with the OFAC list, we still need to use our company’s external intelligence and risk data — in addition to the sanctions lists — to understand if the victim is paying directly to a sanctioned entity or through an affiliate program that is loosely tied to a sanctioned group or region,” he explained.
Most of these sanctions are an extension of a Whitehouse initiative to combat ransomware by disrupting ransomware gangs, bolstering resilience, making laundering through cryptocurrency more difficult, and addressing safe harbors like those in Russia.
It’s important to note that Russia isn’t the only sanctioned country. In 2019, OFAC sanctioned North Korea. The Federal Bureau of Investigation (FBI) has been trying to get companies associated with China added to the list since 2012 with limited success, said Darren Mott, who managed FBI cyber and counterintelligence squads for 20 years before retiring in 2019.
Politics tighten sanctions on ransomware payments
Since Russia launched its war against Ukraine, paying ransoms to Russian entities has become a political hot button, with Secretary of Treasury Janet Yellen lamenting how ransomware criminals operate in Russia with impunity. The Treasury Department’s release also declares that paying ransomware payouts to an entity in a sanctions nexus is a threat to U.S. national security.
“Fourteen years ago, back in 2008, FBI agents in Russia recognised that Putin was the crime boss behind most of these types of cyberattacks coming from his country," argued Scott Augenbaum, who recently retired after 29 years leading cybercrime investigations in the FBI.
"And now, because the issue is political, we punish the victims? That’s absurd. Paying ransoms should not be a political issue because by the time it gets to the stage of negotiating the ransoms, the victim company is already behind the eight ball with no other way out."
In a recent blog post, Luke Schaetzel, associate in the Benesch law firm’s data protection group, describes how wilfully violating these sanctions when paying ransoms can lead to fines up to $1 million dollars and/or up to 20 years in prison per violation.
Aggravating factors determining the civil penalties include wilful or reckless violation of law, concealment of the payments, management involvement, awareness of conduct, cooperation with OFAC, and prior notice.
While no businesses have yet been charged for paying ransoms under these sanctions, those that violate them can be slapped with civil and criminal penalties even if the victim doesn’t know they’re in violation, Schaetzel told CSO.
OFAC’s list of sanctioned groups is more specific and includes ransomware names, related URLs and dark web addresses, individuals, server IP addresses, and email addresses. Sanctions against countries, particularly during times of war, are farther reaching and make paying ransoms that much more complicated, Schaetzel said.
“These wartime sanctions can apply to a swath of officials, banks, and state-owned entities in Russia. Paying ransoms to or through any of these groups funded by the Russian banks or other officials could be in violation of sanctions laws,” he explained. “So, if you have any inkling of suspicion that a Russian entity subject to sanctions is involved or could be involved, don’t pay the ransom.”
Sanctions list out of date
Take, for example one of the top Russian ransomware groups, Conti, which at the start of the war threatened to strike the critical infrastructure of anyone attempting to hack Russian assets. Conti emerged from affiliate organisations that may not be directly on the sanctions list but are still sanctioned because of the affiliations, Schaetzel pointed out.
Conti is an outgrowth of the Ryuk ransomware, created by a Russian criminal group known as Wizard Spider, which is also sanctioned and behind the TrickBot botnet. Thus, paying to or through any of these entities would be in violation of sanctions.
That’s a problem. Many of the Russian agencies listed on the OFAC list (last updated in November 2021) have shut down and moved on, meaning the list itself is obsolete. Because of this, and because attackers don’t care about them, the sanctions lack teeth and hurt the victim more than the criminal, Mott contended.
“OFAC doesn’t have the manpower to track all bitcoin transactions to see if they’re being paid to a sanctioned entity or country. And I would argue that those bitcoin addresses on the sanctioned list are obsolete by now,” Mott said. “The ransomware operators can shut down and reopen under a new name overnight, but it takes about a year for an entity to make it onto the OFAC sanctions list.”
An example is REvil, which supposedly shuttered operations in January after extraditions and arrests by the FBI. Now REvil seems to have reemerged under a Russian dark web marketplace called RuTOR. Another example is Conti, which changed names and diversified into multiple spinoffs since its operators threatened to defend Russia with counterattacks.
Be ready before a ransomware attack
Knowing who to report to by establishing pre-relationships with your local FBI cyber field office is critical when dealing with a ransomware infection, Mott said.
While in his latest assignment as head of the FBI’s counterintelligence squad in 2019, Mott recalls how one of his office’s special agents (SAs) called a CIO at a local company and informed the CIO that un-activated Russian-based ransomware was on the CIO’s network.
To verify, the CIO called Mott, who personally confirmed that, yes, their SA was who he said he was and that a ransomware gang was putting files on the system that hadn’t yet activated. Mott then reiterated the remediation measures the CIO needed to take.
The CIO still didn’t believe them. When the CIO didn’t respond in the next two days, the cyber squad supervisor shared with the CIO the file names on their system, where to find them, and how to remove them.
“Then the CIO sent email to the special agent in charge of the field office to get additional verification, and the ransomware operator saw that email and immediately encrypted the company’s data, which illustrates how important it is to know your FBI agencies before you need them,” he added.
Relationships with authorities will also reduce liability in the case the victim unknowingly pays ransom to or through sanctioned entities and affiliates. If, under the weight of ransomware attack, the victim organisation has reached out to the FBI, it demonstrates cooperation with law enforcement, said Bob Seeman, managing partner at CyberCurb, who focuses on cryptocurrency payments, board sophistication and cyber insurers.
“Have a provable compliance program in place ahead of time," he advised. "For assistance, you can turn to cyber insurance companies that will help you hire the right risk mitigation people, ransomware negotiators, law firms, and forensic investigators.
"A qualified team would check the sanctions list and look for indicators that this cyber attacker is affiliated with a sanctioned entity. And be sure to notify law enforcement immediately of any ransomware attack — particularly the FBI, which is the top agency dealing with ransomware.”
To this end, victims and law enforcement need to work together and share intelligence. For example, Mott suggests sharing the tactics, techniques and procedures (TTPs) and memory capture of impacted devices with the FBI who uses this information to build profiles. If a ransom is paid, sharing the digital key to unlock the ransomware is also critical intelligence to share with the FBI.
When preparing to report, the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA's) Stop Ransomware program site instructs victims to take care when preserving evidence that is highly volatile in nature or limited in retention to prevent loss or tampering (such as in system memory, Windows security logs, or data in firewall log buffers). The FBI also instructs victims to check if the bureau has a decryption key, which may be available for a specific ransomware strain.
This intelligence is shared back to the IT community through the Stop Ransomware program that has consolidated advisories and instructions for prevention, detection, and response (including links to the OFAC sanctions list).
“The FBI, with our partners in government and industry, will continue to work together to prevent, identify, and disrupt this type of malicious activity,” said an FBI spokesperson in written response to questions about this article.
“We strongly encourage companies’ network defenders to review several recent Cybersecurity Advisories (CSA) we’ve published. These CSAs are one of the ways the FBI and our partners quickly share new, important tactical information from our investigations, such as specific Russian malware signatures, indicators of compromise, and changes in their tactics.”
Focus on ransomware prevention
With legal liability tied to paying ransoms to Russian and other sanctioned entities, prevention becomes even more critical for enterprise CISOs. Start with the basics, Augenbaum suggests.
For example, weak RDP credentials, which are not complicated to secure, are a main infection vector in the cases he’s examined. Start with the top three vulnerabilities that he consistently uncovered during his investigations: over-permissive/shared admin rights, lack of application whitelisting, and lack of visibility into systems and networks.
“No one expects to be a victim, which is the biggest mistake organisations make when it comes to preparedness,” Augenbaum added. “The other mistake is expecting the FBI to ride to the rescue with the encryption keys and solutions to unlock the data. All that an organisation can control is their own vulnerabilities and utilise tools and best practices to prevent Ransomware infections.”