US government imposing fines for those companies paying ransomware

[Yaunfitda]

In a ironic move by the US federal government, companies that are going to cooperate and pay ransom to cyber threat actors are going to be liable as "even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC."



https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

I guess what the US want is to really stop this attack on US soil specially those coming from state backup attacks, specially from North Korea. And now they are encouraging victims to contact relevant government agencies first before dealing with this cyber actors.

[1713455318]

1713455318

[1713455318]

1713455318

[Kemarit]

They consider this a threat to their national security and they attacks have been growing, even hospitals and educational system has been attack as well. The criminals knows no boundaries and the US wanted it to stop at all cost to even imposing fines to those victims, because not only they are cooperating, but encouraging it as well. We all know what their stance on any terrorists, "NO Ransom".

So I wouldn't be surprised if they are going to apply it to cyber criminals as well. So we will see how this goes in the future. I think the best prevention for now is for those companies to update everything including hospitals, which is one of the most frequented target by organized crimes because of the total lax on their systems. And then educate the users not on proper security hygiene.

[dothebeats]

This is actually making a statement to those cyber terrorists that targeting US-based companies would be fruitless, and would, most of the time, result to them getting nabbed or getting tracked. It would be best if the US gov't also provide assistance to private companies facing these type of hacks, as they are the ones who imposed that no ransom shall ever be paid in order to get those files backed. If this wouldn't be the case, everyone would be forced to upgrade their security systems and do better in terms of handling their data, which is pretty good overall considering that some of these companies are still using old tech in maintaining their database and file systems.

[btc_angela]

I'm seeing that US wanted to get involved, because this is already a cyber war. It's not just for the money here, but the criminals are also stealing information and very often that it could be consider an attack on their home soil itself. And they want to US companies not to pay the ransom but they will go after this criminals and send the message not just that their effort will be fruitless, but not to mess with them because they are going after them, regardless if they are from Russia or North Korea.

[Harlot]

They aren't actually stopping the companies hit by the ransomwares themselves but they are actually trying  to stop companies being the middleman for both the victim and the hacker as they are treated as some kind of "cyber actors" in the part of the crime. And I do agree with that, these companies who are helping on making the payment for this criminals are making money while doing so, technically this looks bad on them as like I said they are helping them earn the blackmail money. Discouraging them with a fine will just allow the company to do it on their own and handle the situation themselves without a help of any kind of middleman.

[posi]

The statement made by the US Treasury office may seems harsh by some people but it definitely a way to stop the US citizen from being a victim of the ransomware attacker cause despite the strategy used by the hackers been exposed some people will still be silly enough to fall their tricks and the funny thing is that even with this public announcement of penalization some people will fall for the ransomware attack.

They aren't actually stopping the companies hit by the ransomwares themselves but they are actually trying  to stop companies being the middleman for both the victim and the hacker as they are treated as some kind of "cyber actors" in the part of the crime.

According to the gravity of this announcement, I believe the US government is already involved cause the information stole by the hacker worth more than the money involved.

[TravelMug]

They aren't actually stopping the companies hit by the ransomwares themselves but they are actually trying  to stop companies being the middleman for both the victim and the hacker as they are treated as some kind of "cyber actors" in the part of the crime.

It's just the same though, what the US want is to really stop paying this "cyber actors", regardless if you are an entity that facilitates or companies paying directly, you are in violation OFAC Regulations.

And I do agree with that, these companies who are helping on making the payment for this criminals are making money while doing so, technically this looks bad on them as like I said they are helping them earn the blackmail money. Discouraging them with a fine will just allow the company to do it on their own and handle the situation themselves without a help of any kind of middleman.

Yes, this is what the US government wanted, to prevent and discouraged cooperating with cyber threat. They already have a black list, including hackers or cyber criminals from North Korea (Lazarus group and it's sub groups) and  Evil Corp, a Russia-based cybercriminal organization. Can this stop cyber criminals? I don't think so, they will continue to engage and attack US. But at least the US can have the legal means to come after this groups in the future.

[Lucius]

This is in line with that famous saying "US does not negotiate with terrorists", and here they want to make it clear to their citizens not to cooperate with online terrorists, thus encouraging them to carry out similar attacks.

This definitely makes sense if it is going to raise the level of protection that many companies neglect quite a bit when it comes to computer security that includes not only software solutions, but also regular data backup and education of their employees. Instead of spending money on ransom payments, it's definitely better to invest in prevention - and it seems to be the only way to convince someone to change their bad habits of punishing them if they continue to work the old way.

[Harlot]

They aren't actually stopping the companies hit by the ransomwares themselves but they are actually trying  to stop companies being the middleman for both the victim and the hacker as they are treated as some kind of "cyber actors" in the part of the crime.

It's just the same though, what the US want is to really stop paying this "cyber actors", regardless if you are an entity that facilitates or companies paying directly, you are in violation OFAC Regulations.

And I do agree with that, these companies who are helping on making the payment for this criminals are making money while doing so, technically this looks bad on them as like I said they are helping them earn the blackmail money. Discouraging them with a fine will just allow the company to do it on their own and handle the situation themselves without a help of any kind of middleman.

Yes, this is what the US government wanted, to prevent and discouraged cooperating with cyber threat. They already have a black list, including hackers or cyber criminals from North Korea (Lazarus group and it's sub groups) and  Evil Corp, a Russia-based cybercriminal organization. Can this stop cyber criminals? I don't think so, they will continue to engage and attack US. But at least the US can have the legal means to come after this groups in the future.

Basically the US government is treading the ransomware hackers as some kind of terrorist where if they deny the payment transfer they would be discouraging more future attacks to happen which I don't think is the case. From the news I have been seeing ransomware related attacks are increasing now not only in companies but also to personal computers, if they just deny or fine people paying the ransomware I believe that ransomware attacks would increase just for this people for them to have any income. Anyways if the US government wants to be involve I think they should just be tracking down the people doing the hacks and not concentrating on the victim.

[btc_angela]

^^, Yes, I have said, this is already a cyber war, the game has shift to online attacks on US soil. So just the same stance whether online or offline attacks, they won't tolerate and will not pay any ransom to this cyber terrorist. I'm sure that they have been tracking this terrorist already, then already name North Korea and Russia as the main 'source' of attacks to US soil. And US government, specifically FBI are doing a lot of monitoring and issues advisories:

https://www.fbi.gov/investigate/cyber

[Lucius]

I'm sure that they have been tracking this terrorist already, then already name North Korea and Russia as the main 'source' of attacks to US soil.

It is not at all strange that the two main suspects are North Korea and Russia, given that both are marked as highly problematic and under sanctions. But the attacks come from all over the world, because hackers who want money are not exclusively politically motivated, although the US's actions create a lot of enemies around the world. I wonder what is in this story with China or Iran who are being far more powerful than one North Korea that has become the main culprit for every trouble that happens in the world.

[avikz]

It's because US government wants to get more insughts about such attacks which many companies are not reporting. There is a fair reason for the companies not to report such attacks to the government and related cybersecurity departments because it involves the reputation of the company. From a customer point of view it's less secure to continue with the business with such victim companies.

But unless and until such incidents are reported, there will be no way the cybercrime department will be able to get to the root of such things. Probably that's the reason such notification is issued!

[sheenshane]

I find this unfair for any organization and people who are innocent but the fingers are pointed to them because of this act.
I don't think that this one is timely. I would recommend the government to help the mid-man identify these first. Why? It's too hard to identify when someone is using your platform for making transactions with hacking. Unless there is a software that will be created specifically for this.

But on the other side, this is good to them as well. It will probably lessen the cybercriminal cases once criminal knows this announcement, they might afraid doing transaction online. Most likely they are going offline but they will encounter difficulties.

[cryptomaniac_xxx]

This is a interesting article, Ransomware victims aren't reporting attacks to police. That's causing a big problem. This is Europol though, but I'm just wondering if in the US soil nobody reports a crime to US agencies?

Many victims of ransomware aren't reporting attacks to police, making it harder to measure the level of crime and to tackle the gangs involved.

Europol's Internet Organised Crime Threat Assessment 2020 report details the key forms of cyber crime which pose a threat to businesses right now and ransomware remains one of the main concerns, especially as these gangs increasingly display high levels of skill and sophistication.

In many cases, ransomware gangs don't just encrypt the network with malware and demand hundreds of thousands or millions of dollars in bitcoin, they'll also threaten to leak stolen sensitive corporate files or personal data if they don't receive a payment.

And while ransomware is one of the most high profile forms of cyber attack, Europol's report warns that it remains an under-reported crime as many organisations still aren't coming forward to law enforcement after falling victim.

Several law enforcement agencies across Europe say they've only heard of ransomware cases via reports in local media.

What if the companies paid the ransom already to criminals and then the news just surface on the media? Will US still charge those that didn't report it and instead pay the ransom themselves and try to keep quiet?

[Yaunfitda]

I find this unfair for any organization and people who are innocent but the fingers are pointed to them because of this act.

I not seeing this as unfair, what US wants is to have total control because it curtails national security according to them. So no US citizens can just pay this ransom period.

I don't think that this one is timely. I would recommend the government to help the mid-man identify these first. Why? It's too hard to identify when someone is using your platform for making transactions with hacking. Unless there is a software that will be created specifically for this.

They can't help if the man in the middle is not cooperating on their side, hence they are including as well.

But on the other side, this is good to them as well. It will probably lessen the cybercriminal cases once criminal knows this announcement, they might afraid doing transaction online. Most likely they are going offline but they will encounter difficulties.

And that is what US wanted to see, and they are sending a clear message to criminals now. Online criminals will not go offline with payments, they know the paper trail and tracking them will be easy for US government.

[Theb]

It's because US government wants to get more insughts about such attacks which many companies are not reporting. There is a fair reason for the companies not to report such attacks to the government and related cybersecurity departments because it involves the reputation of the company. From a customer point of view it's less secure to continue with the business with such victim companies.

But unless and until such incidents are reported, there will be no way the cybercrime department will be able to get to the root of such things. Probably that's the reason such notification is issued!

From what I know companies especially the ones that are publicly listed in the US are obligated to notify several departments as well as other businesses (i.e. insurance companies) about the ransomware attack they are experiencing even companies covered in the health sector are obligated to notify such attacks as they carry out personal date from their clients so I don't think this is the reason why they are doing this. For the US government trying to impose penalties to companies that help with the payments I think this is justifiable as like what others have said they are profiting from something that is illegal and imposing a fine would simply discourage businesses to handle payments for companies that are victimized by these kinds of attacks. 

[aioc]

In a ironic move by the US federal government, companies that are going to cooperate and pay ransom to cyber threat actors are going to be liable as "even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC."



https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

I guess what the US want is to really stop this attack on US soil specially those coming from state backup attacks, specially from North Korea. And now they are encouraging victims to contact relevant government agencies first before dealing with this cyber actors.

I hope they can back it up, if they impose fines then they should offer what kind of solutions are they going to offer to those who ignore and refused to pay these cyber criminals, can they solve or fix the issues if the victim contact the authorities, if they can show potential victims and victims that they have the resources to fix the issues then they will not pay these criminals and ask for their help.

[Lorence.xD]

It's because US government wants to get more insughts about such attacks which many companies are not reporting. There is a fair reason for the companies not to report such attacks to the government and related cybersecurity departments because it involves the reputation of the company. From a customer point of view it's less secure to continue with the business with such victim companies.

But unless and until such incidents are reported, there will be no way the cybercrime department will be able to get to the root of such things. Probably that's the reason such notification is issued!

The imposed fine is pretty reasonable in my opinion because if there were no consequences for the people who pays the ransomware attackers, then the companies mentioned by quote above will do what any company will do to protect their reputation. The fine serves as a sign for these companies to not slack off in regards to their security and backups.

[Karartma1]

The US are simply confirming without any reasonable doubt that they will act the same way they usually do with other crimes. As Lucius wrote US does not negotiate with terrorists. If they did, we wouldn't know anyway and they would deny any possible ransom. This news is a no news, they clearly extended what they already do on a different topic.
https://en.wikipedia.org/wiki/Government_negotiation_with_terrorists

For victims, though, this is very bad: they will suffer huge losses, twice.

[coolcoinz]

This is in line with that famous saying "US does not negotiate with terrorists", and here they want to make it clear to their citizens not to cooperate with online terrorists, thus encouraging them to carry out similar attacks.

This definitely makes sense if it is going to raise the level of protection that many companies neglect quite a bit when it comes to computer security that includes not only software solutions, but also regular data backup and education of their employees. Instead of spending money on ransom payments, it's definitely better to invest in prevention - and it seems to be the only way to convince someone to change their bad habits of punishing them if they continue to work the old way.

But will it work, that is the question. Take that recent case of CWT company, that paid the ransom and got their files decrypted. They chose this way because they knew that doing otherwise would mean bankruptcy. Most companies will be willing to pay the ransom and a fine imposed by the government, just to keep the boat afloat.
If they go down it will not matter if they save a million dollars or not since they will be unable to make any money from that point.