On April 5, 2022, the U.S. Department of Treasury Office of Foreign Assets Control (OFAC) sanctioned darkweb Hydra Marketplace and virtual currency Garantex and added both to the Specially Designated Nationals List (SDN) [view related post].

On October 1, 2020, OFAC issued a Ransomware Advisory “to alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.”

OFAC specifically designates “malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program.” Understanding and adhering to the Advisory is very important for companies that are victims of ransomware attacks if they are considering paying a ransom.

OFAC updates the cyber-related designations, which can be accessed on the Department of the Treasury’s website, as it did on April 5, 2022 with Garantex and Hydra.

When adding Garantex to the designation list and to help prevent fraud, OFAC also listed over 100 digital currency addresses associated with SDN Hydra Marketplace and used to conduct “illicit transactions” so those involved in digital currency are aware that the addresses are illicit.

OFAC explains the implications of U.S. persons transacting any business with sanctioned individuals or entities in its announcement of the sanctions against Hydra and Garantex:

All transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.

OFAC has also issued Sanctions Compliance Guidance for the Virtual Currency Industry to assist compliance professionals on how to navigate this space.

We expect to see more activity in cyber designations while the U.S. continues to ramp up sanctions against Russia and its leadership.

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The advisory acknowledges that the incidents of ransomware attacks on U.S. companies have risen during the COVID-19 pandemic. Although the advisory does not mention that companies have been paying ransoms when they are victimized, it has been publicly reported that companies have paid ransoms, particularly when data has been exfiltrated and the cybercriminals are threatening to post the data online unless a ransom is paid for confirmation of destruction, as is the scheme used by Maze.

The advisory warns that paying ransoms “not only encourage future ransomware payment demands, but also may risk violating OFAC regulations.” The advisory “describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

If you want to read a well-written history of ransomware, read the advisory, as it lays out nicely the evolution of ransomware and its effect on businesses.

According to OFAC:

“[F]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

OFAC further states that “[C]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” These sanctions include civil penalties based on strict liability.

In light of the advisory, OFAC:

encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (emphasis ours). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”

The OFAC advisory is a stark warning for responding to ransomware attacks and incident response. It lays out important considerations in determining how it may impact your incident response plan, questions to ask your cyber liability insurer about coverage around ransom payments, and the risks associated with a ransomware payment in your enterprise-wide risk management program.

In the Biden Administration’s continuing effort to reduce the risk of cybersecurity spyware from foreign adversaries, including Russia, the United States Department of Commerce (Commerce) issued a final rule (Rule) on June 16, 2023, entitled “Protecting Americans’ Sensitive Data from Foreign Adversaries” and also amended a previously issued rule (“Securing the Information and Communications Technology Supply Chain”) that had been published under a Biden Executive Order. The new Rule gives Commerce authority to prohibit or regulate communications technology or services connected to foreign adversaries that pose a risk to national security, including software.

For the first time using the authority provided by the Rule, on June 19, 2024, Commerce issued a final determination prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries, and parent companies from “directly or indirectly” providing anti-virus software and cybersecurity products or services in the U.S. According to Commerce, “Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use. The full list of prohibited transactions can be found here. ” Kaspersky has until September 29, 2024, to cease doing business in the U.S. and provide existing customers anti-virus and codebase updates until that time.

Kaspersky has been selling software and services in the U.S. for years, so it is no doubt embedded in company cybersecurity programs throughout the U.S. according to Commerce:

            “Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination. However, any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so.”

Commerce determined that Kaspersky posed an undue or unacceptable risk to national security because “the ability to gather valuable U.S. business information, including intellectual property, and to gather U.S. persons’ sensitive data for malicious use by the Russian Government, pose an undue or unacceptable national security risk and therefore prohibits continued transactions involving Kaspersky’s products and services.”

On June 20, 2024, in coordination with Commerce, the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated twelve executives and senior leadership from Kaspersky to the OFAC sanctions list. If you are using Kaspersky products or services, the final determination has a meaningful impact on your organization. This means that as of June 19, 2024, Kaspersky will no longer be able to provide support for any of its products or services in the U.S., and its executives are listed on the OFAC sanctions list. You may wish to heed Commerce’s recommendations if you hare in this position.

In a win for global law enforcement, Germany’s Bundeskriminalamt (BKA) announced on April 5, 2022, that it had officially taken down the infrastructure of Hydra, a Russian-based, illegal dark-web marketplace that has allegedly facilitated more than $5 billion in Bitcoin transactions since its inception in 2015. In the process of shutting it down, German authorities seized over $25 million in Bitcoin through 88 transaction. According to BKA, it “secured the server infrastructure in Germany of the world’s largest illegal Darknet marketplace ‘Hydra Market.’”

BKA attributed the take down to a collaborative investigation between its Central Office for Combating Cybercrime and U.S. law enforcement authorities since August 2021.

According to BKA, Hydra had 17 million customers and over 19,000 seller accounts registered on its marketplace, and “was probably the illegal marketplace with the highest turnover worldwide.”

Following the takedown in Germany, the U.S. Department of Treasury (Treasury) Office for Foreign Assets Control (OFAC) followed up with sanctions against Hydra, which, according to Secretary of the Treasury, Janet Yellen, sends “a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world.”

Treasury’s release states, “Countering ransomware is a top priority of the Administration. Today’s action supports the Administration’s counter-ransomware lines of effort to disrupt ransomware infrastructure and actors in close coordination with international partners” and calls out Russia as “a haven for cybercriminals.”

Therefore, Hydra was designated by OFAC “for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”

Treasury further sanctioned virtual currency exchange Garantex, which is in Estonia but operating in Moscow and St. Petersburg, Russia. According to Treasury, more than $100 million in transactions over the exchange were associated with “illicit actors and darknet markets,” including Conti and Hydra.

Therefore, Treasury designated Garantex “for operating or having operated in the financial services sector of the Russian Federation economy” which “reinforces OFAC’s recent public guidance to further cut off avenues for potential sanctions evasion by Russia, in support of the G7 leaders’ commitment to maintain the effectiveness of economic measures.”

These actions by the Department of the Treasury send a strong message to cybercriminals that sanctions related to the war in Ukraine are rapidly spurring additional scrutiny and action by law enforcement against anyone associated with Putin or Russia.

For more on what these sanctions mean for U.S. individuals and businesses, click here.

Three recent events are prompting me to update our previous blog post on the difficult decision of whether to pay or not to pay ransomware following an attack [view related post].

The first event is the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory warns that if a company or a vendor facilitates the payment of a ransom to criminals or adversaries “with a sanctions nexus,” the funds could be used “to fund activities adverse to the national security and foreign policy objectives of the United States.” Therefore, companies, or vendors acting on their behalf that pay a ransom to a sanctioned individual or government are at risk for sanctions under the Financial Crimes Enforcement Network (FinCEN) regulations.

The advisory is a very important consideration to weigh in determining whether or not to pay a ransom for encryption keys or destruction of data. For more on the OFAC Advisory, click here:

The second event was a recent thoughtful analysis on this subject matter by KrebsonSecurity, entitled “Why Paying to Delete Stolen Data is Bonkers.” Referring to a Coveware report, which states that almost half of all ransomware cases include the release of exfiltrated data, Krebs quotes from the report noting, “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.”

Krebs further notes that ransomware victims who pay for the decryption key are relying on hope that the keys will work, which is not always the case.

The final event relates to growing anecdotal evidence that Ransomware as a Service (RaaS) operators, usually less sophisticated than the big boys, are engaging in double extortion scams against their victims. This means that if you have made the business decision to pay the ransomware for either the decryption keys or the destruction of data, these operators are refusing to give you the key or the confirmation of destruction until you pay more ransom – after you have agreed to pay a negotiated amount, and they have initially agreed to hold up their part of the bargain. This behavior is certainly inconsistent with the general assumption of ransomware, namely that the attackers will return what has been ransomed after payment, so future victims can be assured that once they pay the ransom, they will get back their keys or data. This new phenomenon provides a strong argument (in addition to the ones above) to refrain from paying the ransom. They are criminals, after all, and some are more credible and smarter than others. These attackers who engage in double extortion will rapidly get a bad reputation and are shooting themselves in the foot. However, while in the midst of the attack, you just don’t know who you are dealing with, so weighing these risks is challenging at best.

Late last week, the Federal Bureau of Investigation (FBI) issued a warning to U.S. consumers that Russian hackers (dubbed Sofacy and a/k/a Fancy Brear and APT28, and believed to be backed by the Russian government) had compromised “hundreds of thousands” of home and office routers through malware known as VPNFilter in order to collect information by hijacking the devices and shutting down network traffic. VPNFilter can steal data or order routers to self-destruct.

The warning was on the heels of approval by a court for the FBI to seize a website that was being planned to deliver instructions to the hijacked routers. According to the FBI, “the size and scope of the infrastructure impacted by VPNFilter malware is significant.” It is estimated that the malware has infected 500,000 devices in 54 countries, including the U.S.

Cisco issued its own warning, saying that the malware has affected broadband routers and Wi-Fi devices from Linksys, TP-Link and Negear.

Therefore, the FBI is urging owners of small office and home routers to reboot the devices, and to download patches and software updates to eradicate the malware. Symantec notes that VPNFilter is very difficult to remove and can turn up after a reboot of the device, so it suggests a hard reset of the device to factory settings to remove the malware.

Trans Union, LLC, one of the largest credit reporting agencies in the United States has been hit with a verdict by a California jury for $60 million, which is the largest verdict under the Fair Credit Reporting Act (FCRA) to date.

The class action complaint was filed in 2012 and alleged that Trans Union credit reports were checking consumers against the U.S. Department of Treasury’s Office of Foreign Assets Control database (OFAC), which mistakenly linked consumers to terrorists and criminals with the same name.

The jury found that Trans Union violated the FCRA when it failed to assure accuracy for its credit reporting results, to notify consumers of OFAC results in writing, and to provide them with notice of their rights under FCRA, including correcting mistakes on their credit report.

The verdict provides that the 8,185 class members will receive $984 in statutory damages under FCRA and $6,353 in punitive damages, which totals $60 million.

Trans Union has publicly stated that it is reviewing its options following the jury verdict.

Every morning we sit down at our computers and provide our credentials to the network; user name and password.  Because it has become such a ubiquitous part of modern life, we have a user name and password to everything, we even have password management applications.  This system of challenge and response is designed to prove to the system who you are or authenticate you as a valid user.  As discussed in a previous blog post, who you are and what you do also may determine your permissions within the system if Role Based Access Controls are in place.

Multi-factor authentication (MFA) is a method of more securely verifying the identity of a user of any given system.  The multi-factor comes from requiring more than one piece of identifying information. In the challenge response example above, you know your user name and password.  MFA requires two or more pieces of information from the following categories:

  • Knowledge: something you know (user names, passwords, PIN)
  • Possession: something you have (secure token, bank card, cell phone)
  • Inheritance: something you are (fingerprint, retina, biometric)

A subset of MFA is two-factor authentication (2FA), which is a widely implemented version.  Originally patented in the early 1980s for use with automated teller machines, customers need their bank card, and they need to know the PIN (something they know and something they have).  Two-factor authentication has become extremely common, especially in the Internet and ‘app’ space.  A common method of 2FA is when providers text a code to your mobile phone after a successful challenge and response.  Something you know is your user name and password; something you have is your mobile phone.

Most service providers support 2FA but you may need to request that it be enabled for your account.  You can check if your provider supports 2FA by checking https://twofactorauth.org/.