On October 1, the Department of the Treasury issued an advisory to highlight the sanctions risks associated with ransomware payments. There is a potential for federal civil penalties that are twice that of the ransom payment themselves for paying it to a sanctioned entity. These can be the difference that causes small and medium-sized businesses to consider not paying ransom and just shut down entirely.
Due to the COVID-19 pandemic, upcoming presidential election, and the discovery of numerous critical vulnerabilities, there has been a sharp uptick in ransomware-related activities. This blog series is designed to give you additional background on these threat actors that the advisory did not provide. It will also provide guidance on how to protect your organization based on the advisory contents. This includes additional checks for businesses, and tips on how to address ransomware attacks if you become a victim and need to pay.
Many of these attacks have been traced back to attackers operating out of hostile foreign nations or groups sanctioned by the Department of the Treasury. One example is the Lazarus Group, which is sponsored by North Korea and was responsible for WannaCry. Two Iranian citizens were responsible for the SamSam attack, which was used against the city of Atlanta. Numerous Russian citizens have been sanctioned for their roles in ransomware attacks. This advisory indicates that paying them may be used to fund anti-American activities.
These threat actors are organized into groups, and many operate collaboratively. According to the security research firm Cyware, the Maze group, responsible for numerous attacks, has joined up with the LockBit and RagnarLocker groups. These groups collaborate on Russian-language forums and share tips and techniques. In addition, groups associated with sanctioned countries such as North Korea operate out of other nations, making attribution difficult.
These groups accept cryptocurrency, usually Bitcoin, as ransom payment. Bitcoin has been known as the “wild west” of finance, as it’s not tied to any fiat currency such as the US Dollar or Euro. Bitcoin exchanges, where cryptocurrency can be changed into fiat currency and vice versa, have not been known to follow good financial controls. On October 1, the Department of Justice indicted four founders and executives of the Bitcoin Mercantile Exchange, BitMEX, for willfully failing to establish, implement, and maintain an adequate anti-money laundering program. According to the New York Times, BitMEX — which was trading $1.5 billion a day in cryptocurrencies — was informed by authorities that the platform was being used by hackers and sanctioned countries like Iran. Its founders bragged about how cheap it was to bribe authorities in their corporate location in the Seychelles. The timing of this event may have had influence on the issuance of the advisory.
It is also possible to set up a Bitcoin wallet and receive cryptocurrency payments with little effort. Therefore, it’s good practice to set up new wallets to avoid having your activity tracked on the Blockchain. Many of the customer due diligence and anti-money laundering (Know Your Customer aka KYC and AML) checks that banks are required to do as part of 31 CFR Parts 1010, 1020, 1023, 1024, and 1026 have not been done with cryptocurrency exchanges or cryptocurrency recipients. In addition, malicious threat actors have been known to hack exchanges. According to Selfkey, there have been numerous hacks in 2020 alone, several of which were to exchanges that did not have these controls.
With the decentralized nature of cryptocurrencies, lack of controls at popular exchanges, and collaboration between groups, it is nearly impossible to determine if a sanctioned entity was involved in a ransomware attack. Traditional methods, such as checking Treasury’s Office of Foreign Assets Control Sanctions List, will not work. The Financial Crimes Enforcement Network (FinCEN), according to their August 3rd guidance, requires the collection of basic data to identify and verify customer and company identities, understand the nature and purpose of customer relationships, and conduct ongoing monitoring to identify and report suspicious transactions. On a risk basis, they are also required to maintain and update customer information.
The August 3rd guidance doesn’t require the collection of additional information required to do due diligence, the performance of particular screenings, or the collection of information on the clients of other financial institutions. There is also no requirement for periodic scheduled information updates. Financial institutions are required to establish their own procedures. This can lead to high variety and the exploitation of lower-security organizations to establish credible financial records.
The first in a two-part series, this blog was written by Mitch Parker, CISO of Indiana University Health. Part two will explore the ramifications of paying for ransomware.