The nearly nonstop series of new U.S. sanctions being levied in a bid to halt Russia’s war machine have complicated events for companies facing their own external threat: ransomware attacks.
The ever-lengthening lists of sanctioned entities pose risks to U.S. companies that want to pay to get their systems back online after an attack, experts said.
Ed McNicholas, co-leader of the cybersecurity practice at law firm Ropes & Gray LLP, said ensuring that ransomware payments aren’t going to sanctioned Russian entities has gotten “much harder” recently.
“The overlap of the rise of ransomware and then these pervasive sanctions against Russia has created quite a firestorm in terms of the ability to pay ransoms,” he said.
Traditionally, the list of entities under sanction has been mostly relevant to those in financial services, but recent surges in ransomware attacks have meant that cybersecurity experts have had to do their best to ensure ransom payments aren’t going to blacklisted entities.
The work of staying up to date has become more intense as the U.S. has steadily piled on sanctions, said Bill Siegel, the chief executive of Coveware Inc., which helps companies handle negotiations and other work associated with attempts at cyber extortion.
“With the war, it’s become incredibly dynamic where the entire landscape can shift or change when you wake up in the morning,” Mr. Siegel said. “There’s more sanctions happening every single day.”
U.S. law imposes so-called strict liability on anyone that makes a payment to a sanctioned entity—meaning that a lack of intent to flaunt sanctions doesn’t exonerate the paying party.
So far, U.S. enforcers haven’t publicly targeted a company for making a ransomware payment to a sanctioned entity, but several experts have said some kind of enforcement activity is likely.
The U.S. Treasury Department’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network both have highlighted ransomware payments in recent months. OFAC said in September that it “strongly discourages” extortion payments and reiterated that it can take action against payers.
“It is likely that OFAC will seek to make an example,” said Matt Lapin, a partner at the law firm Porter Wright Morris & Arthur LLP who specializes in international transactions and international trade law.
Mr. Lapin said he thought OFAC would most likely take action against a ransomware-paying company that had failed to conduct appropriate due diligence on its payment or failed to proactively communicate with law enforcement or OFAC itself.
FinCEN in March warned financial institutions to beware of Russia-linked ransomware attacks, and OFAC earlier this month sanctioned a “darknet” market and cryptocurrency exchange suspected of involvement in ransomware payments.
To keep companies from inadvertently running afoul of the law, Coveware runs information collected in connection to attacks through a series of analyses, collecting data on behavioral patterns, the code used and other forensic artifacts, Mr. Siegel said. The company also tries to ensure that the attacker is a financially motivated criminal, rather than a state-linked actor, he said.
Coveware refuses to facilitate a payment to a suspected sanctioned entity—anyone involved in facilitating a payment to a sanctioned entity can be found liable for violating the law—but has had clients ask that it ignore sanctions, Mr. Siegel said.
Even absent an enforcement action, the mere possibility of an action by OFAC, which enforces sanctions, can be enough to complicate a ransomware payment. Civil penalties could range from thousands to millions of dollars.
Insurance companies can be reluctant to make payments if there is even a hint of involvement by a sanctioned entity, said Roberta Sutton, a partner at Potomac Law Group PLLC whose practice focuses on insurance recovery and risk management.
After one of Ms. Sutton’s clients, a firm she declined to name that provides information-technology-related services, made a ransomware payment to release its systems after a June 2020 attack, the company hasn’t been paid by its insurer, she said. A third-party not involved in the investigation wrote an article suggesting the attack might be attributable to a sanctioned entity, which led the insurance company to halt the $1 million payment, Ms. Sutton said.
“It’s so frustrating,” she said. “A million dollars is rather large for this client. It’s had to call on its investors for more capital.”
The insurance company, which she also declined to name, reached out to OFAC for guidance but hasn’t yet received a response, she said.
Coveware’s Mr. Siegel said companies should be proactive about beefing up their security and run tabletop exercises to try to avoid being caught off guard by an attack.
“Most companies approach this risk for the very first time when the incident happens,” he said. “All of a sudden, during this horrible incident, the company’s down—oh, and by the way, there’s this terrible risk of this strict liability problem with one of the scariest regulators out there. They’re forced to understand it under duress.”
Write to Richard Vanderford at richard.vanderford@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8