Channel programs News

Feds Threaten Civil Penalties For Those Paying Ransomware Demands

O’Ryan Johnson

‘(R)ansomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,’ a memo written by the U.S. Department of Treasury states.


Companies that pay ransomware syndicates could find themselves in hot water with the federal government, according to a memo published Thursday by the U.S. Department of Treasury.

Addressing the growing threat of ransomware, the memo says some countries and international criminal groups that have been sanctioned by the U.S. government are also running ransomware syndicates. The memo warns that by funding these groups – even through the paying of ransoms to retrieve stolen data -- U.S. businesses could run afoul of multiple treaties that restrict trade to criminal groups and governments that have been sanctioned by the U.S.

“(R)ansomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the memo states. “Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data. “

The U.S. Department of the Treasury’s Office of Foreign Assets Control released the memo on Thursday, the beginning of Cybersecurity Awareness Month. It said there are two acts that could be violated by ransom payments: the International Emergency Economic Powers Act and the Trading with the Enemy Act. Both forbid U.S. citizens and businesses from “engaging in transactions, directly or indirectly, with individuals or entities” known as “Specially Designated Nationals” or “Blocked Persons List.”

“(Office of Foreign Assets Control) may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

John Hammond, security researcher at Baltimore-based Huntress Labs, works in the threat ops department, reversing malware, and finding new persistent footholds that hackers are using to get into systems. He said the memo could be a net positive if it encourages companies to be more careful when setting up their networks.

“This is not slowing down and the government can’t particularly control that. But look, your defense here is having backups. There’s no excuse in 2020 to not have back ups,” he told CRN. “We support the idea that you should never pay a hacker. You are only encouraging them to commit more crime.”

Brett Callow, a threat analyst at ransomware fighters Emsisoft, a New Zealand based software company, said the bulletin itself does nothing – in fact the memo says it is not a legal opinion, just an advisory --but it backs up Emsisoft’s position which is there should be a ban on all payments to ransomware syndicates, since those payments are the only thing perpetuating the crime.

“The provisions and sanctions already exist, and the advisory is simply a reminder that they’re there,” Callow told CRN in an email. “The sanctions only apply to a small number of threat actors, so have little overall impact and ransomware continues - and will keep on continuing - to be as much of a problem as ever. We believe the only real solution to the problem is a complete prohibition on the payment of ransoms, and this is something we recently called for.”

Matt Hildebrandt, who runs StrataDefense, a Wisconsin-based MSSP, said this is a great reminder to have a lawyer and an insurance company in your corner before an attack happens.

“When you are talking about dealing with, whether its ransomware, or any malware, get legal involved immediately,” he told CRN. “You are starting to get into a territory now where insurance companies aren’t going to pay up if you don’t follow protocol … the underlying thing is backup, backup, backup, backup, backup and making sure that you have practices in place that are protecting those backups.”

Mark Essayian, president of KME Systems Inc., an MSP in Lake Forrest, Calif. said with massive, Fortune 500 tech companies being cryptolocked by ransomware this memo could be used by victims as a bit of a shield.

“Maybe this is a way of giving publicly traded companies cover saying, ‘Hey, we can‘t pay this money, because then we’ll be put out of business by the federal government,’ “ he told CRN. “I think it’s a net positive that they are going to force people that think they should just pay the ransom to take a deep breath and pause … I mean, you’re funding the guy that broke into your house so he can break into your neighbor’s house.”

Respected ransomware expert Kevin McDonald, chief operating officer of Alvaka Networks, said the company has never facilitated a payment to a ransomware group and would not. He said lawmakers should designate ransomware as a form of terrorism.

“It‘s absolutely real. It’s devastating. It’s entity killing stuff, and it needs to be treated as domestic terrorism,” he said. “There’s nothing more stressful than knowing everything you own has been encrypted. You very likely are going to have to report to the world that you’ve had a security breach, which can be devastating to your reputation. You may have to pay a lot of money to some real human scum to recover from it. And then you have to spend potentially millions or hundreds of millions in some of the cases we’ve seen recovering from it.”

Unfortunately, he said, in this memo it appears that the federal government is coming down hard on the victims of the crime, but doing very little to stop the attacks in the first place.

“It puts a bit of a moral question mark over the federal government because they‘re not doing very much to defend us, or help defend the populace,” he told CRN. “The laws that are around this are weak as far as I’m concerned. This is domestic terrorism. It should be 25 to life in jail for if you get caught doing ransomware. But now they say, ‘Well if you have to pay to get out from under it and save your company and all your jobs. You’re a criminal.’ I have a problem with that.”

In a break with other security experts CRN talked to, he said backup will not save you from ransomware.

“Even with a full business continuity system in place, the recovery work that has to be done to verify that you‘ve ejected a bad actor in an enterprise can take months, and be hundreds of thousands if not millions of dollars because once they’re inside you have to know why? Where? How? Are they gone? Is a piece of them left behind and going to let them back in?” he said.

Bryan Seely, senior security architect with Cyemptive Technologies in Seattle, said payments or not, one driver of malware, is that many ransomware victims don’t believe they will get hit until it is too late.

“The reason they‘re not backing up their stuff is not because there’s not a strong enough incentive,” he said. “It’s that people don’t believe they’re going to get hit.”

Learn More: Network Security
O’Ryan Johnson

O’Ryan Johnson is a veteran news reporter. He covers the data center beat for CRN and hopes to hear from channel partners about how he can improve his coverage and write the stories they want to read. He can be reached at

Sponsored Post