Facilitating ransomware payments to sanctioned hackers may be illegal, the US Treasury said on Thursday, signaling a crackdown on the fast-growing market for consultants who help organisations pay off cybercriminals.
In a pair of advisories, the Treasury’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network warned that facilitators could be prosecuted even if they or the victims did not know that the hackers demanding the ransom were subject to US sanctions.
Companies that voluntarily notify and cooperated with Treasury's Office of Foreign Assets Control (OFAC) at any time during or after a ransomware attack, however, will recieve favourable treatment.
"OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome," the advisories said.
Ransomware works by encrypting computers, holding a company’s data hostage until a payment is made. Organisations have often ponied up ransoms to liberate their data.
“It is a game changer,” said Alon Gal, chief technology officer of Hudson Rock, which works to head off ransomware attacks before they happen.
Before, companies could decide whether or not to pay cybercriminals off, he said. Now that those decisions are being brought under government oversight “we are going to see a much tougher handling of these incidents.”
The Enforcement Network’s advisory also warned that cybersecurity firms may need to register as money services businesses if they help make ransomware payments. That would impose a new reporting requirement on a previously little-regulated corner of the cybersecurity industry.
Ransomware has become an increasingly visible threat in the United States and abroad. Cybercriminals have long used the software to loot their victims. Some countries, notably North Korea, are also accused of deploying ransomware to earn cash.