SIM Report: North America, Issue 8

United States: Treasury warns of fines for ransomware payments to sanctioned groups

In an advisory published in early October, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) warned companies that they could face fines for paying or facilitating ransom payments to sanctioned criminal entities. The advisory, which notes an increase in ransomware attacks during the coronavirus (COVID-19) pandemic, warns that ransom payments could be used to fund activities hostile to the national security and foreign policy objectives of the US, and may also encourage hackers to carry out future attacks. Furthermore, OFAC warns that paying a ransom does not guarantee that a victim will retrieve access to stolen data.

OFAC’s advisory comes several months after a high-profile ransomware case involving US GPS technology company Garmin, which produces a range of fitness trackers and other sports devices. On 23 July, Garmin’s wearable devices, apps, website and call centre operations were disrupted by a cyberattack, which the company publicly acknowledge on 27 July. The company is reported to have paid a ransom to an unidentified cyber gang on 24 or 25 July via a ransom negotiation company, although Garmin has not publicly said whether a ransom was paid. Most notably, reports state that the company was targeted by the WastedLocker ransomware strain, which is believed to have been developed by individuals linked to sanctioned Russia-based hacking group Evil Corp. Media reports claim the ransom payment was around USD10 million, although this is unconfirmed.

The uptick in ransomware attacks during the COVID-19 pandemic comes as geopolitical competition is increasingly pursued through digital means. OFAC’s announcement specifically names countries covered by comprehensive US embargos or sanctions, including Cuba, Iran, North Korea, Syria, and the Crimea region, which is internationally recognised as part of Ukraine yet is under de facto Russian control. In particular, Iranian and North Korean cyber groups have conducted attacks against US interests, while extensive hostile activity has also been attributed to Chinese and Russian groups. Washington, meanwhile, has also increased its capabilities amid growing inter-state competition in the cyber domain. In 2019, former National Security Advisor John Bolton announced that the US was stepping up its offensive cyber activities in order to counteract theft of US intellectual property (IP).

The opaque nature of malicious cyber activity and the significant role of non-state groups provides countries an opportunity to target or punish their adversaries through avenues other than traditional military means or economic sanctions. For attackers, moreover, ransomware incidents serve the added purpose of raising ransom funds, particularly valuable in countries with weak economies and limited access to international financial markets, such as Iran and North Korea. In the short-to-medium term outlook, ransomware incidents are likely to become increasingly frequent, particularly as workflows become digitised and the proliferation of remote working creates new and lucrative opportunities for threat actors. Amid the threat of ransomware attacks and potential legal implications of cooperating with sanctioned entities, organisations should monitor trends in cybersecurity and test and update their cyber defences.

WANT TO READ MORE ANALYSIS IN THIS LATEST SIM EDITION...

Canada: Trudeau’s minority government survives third confidence vote in a month