Ransomware is a type of malicious software that encrypts a target computer or network so that its owners cannot access their stored data. The criminals in control of the ransomware then demand money – a ransom – from their victims in order to enable access. Since ransomware attacks take place online, victims rarely know who they are paying ransoms to, or understand the regulatory compliance risks associated with such payments. In 2021, it is estimated that ransomware cost global businesses around $20 billion, with that figure expected to rise to over $256 billion by 2031. However it is notoriously difficult to gauge the real costs as many organisations will not admit to paying a ransom.
In response to the significant criminal threat, global regulators and law enforcement authorities are increasing their focus on detecting and preventing ransomware attacks by imposing a range of penalties against those that launch them. In the case of state sponsored attacks, that also includes imposing sanctions. However, whatever actions regulators take, it is crucial that organisations remain vigilant by understanding ransomware risks and how to avoid falling victim to an attack.
Ransomware and Global Sanctions
Ransomware attacks are a popular criminal methodology amongst international criminals – and are often used to work around the restrictions imposed by international economic sanctions.
The crippling effect of ransomware attacks mean that their victims may be inclined to make ransom payments to unknown criminals in order to free their data, despite the potential sanctions risk associated with doing so. Ransomware is such an effective way of thwarting sanctions measures and raising illegal funds that many ransomware attacks are sponsored by the governments of sanctioned countries, and deployed as part of extensive criminal campaigns targeting organisations in the media, energy, communications, and financial industries.
Recent examples of state-sponsored ransomware attacks include North Korea’s ‘Maui’ ransomware attack on US healthcare organisations in 2021, and Russia’s ‘NotPetya’ ransomware attack on Ukraine in 2017, which originally targeted financial, energy, and government networks but subsequently spread indiscriminately into Europe and back into Russia.
OFAC Ransomware Sanctions 2022
In September 2022, the US Treasury’s Office of Foreign Assets Control (OFAC) announced that it was imposing sanctions against several individuals and entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
The sanctions followed an OFAC investigation that revealed the individuals and entities were behind a series of ransomware attacks against networks owned by US and global organisations. OFAC was also able to link the attacks to a number of Iranian state-sponsored hacking groups, known to cybersecurity entities as Nemesis Kitten, DEV-0270, APT35, Charming Kitten, Phosphorus APT, and Tunnel Vision. The ransomware attacks perpetrated by those groups included:
- An attack on a New Jersey municipality in February 2021 that exploited a Fortinet vulnerability.
- An attack on Microsoft Bitlocker in March and April 2021, in which decryption keys were held for ransom. Numerous small businesses were impacted by the attack.
- An attack on a US children’s hospital in June 2021 in which a group gained supervisory control of the network and of data acquisitions systems.
- A series of attacks from June to September 2021 targeting transportation, healthcare, emergency services, education, and energy providers.
The IRGC-linked group sanctioned by OFAC is made up of employees and associates of Najee Technology Hooshmand Fater LLC and Afkar System Yazd Company. The list includes:
- Managing directors Mansour Ahmadi (Najee Technology) and Ahmad Khatibi Aghda (Afkar System).
- Employees of Najee Technology and Afkar System: Mojtaba Haji Hosseini, Mohammad Shakeri-Ashtijeh, Mo’in Mahdavi, Aliakbar Rashidi-Barjini, Amir Hossein Nikaeen Ravari, Mostafa Haji Hosseini, Ali Agha-Ahmadi, and Mohammad Agha Ahmadi.
- Individuals linked to NET Peygard Samavat Company – as a result of links to the IRGC and the Iranian Ministry of Intelligence and Security.
OFAC’s sanctions mean that the assets of the Iranian persons designated have been frozen in the US, and US persons are prohibited from doing business with them. US firms that violate OFAC sanctions risk significant criminal penalties, while non-US firms risk being sanctioned themselves.
OFAC emphasised the damage that ransomware causes in the US, revealing that the cost of attacks reached “over $590 million in 2021” (up from $416 million in 2020). The US government suggests that figure does not reflect the true cost of the attacks which also covers the disruption of critical systems and ordinary businesses.
The global ransomware threat is a significant anti-financial crime (AFC) priority – especially given the risk of violating sanctions by paying the criminals behind attacks. In March 2022, the Association of Certified Anti-Money Laundering Specialists (ACAMS) released a report on its Global Ransomware Risks Survey, which took in respondents from public and private sector organisations. The report set out a number of key findings, including:
- Only 40% of respondents believed their organisation was shielded from ransomware attacks.
- Only 41% of respondents considered ransomware attacks as part of their sanctions compliance programs.
- Only 24% of respondents were familiar with the potential sanctions compliance risk of paying ransoms to criminals.
- Only 20% of respondents felt that their government authorities were doing a good job of protecting companies against ransomware attacks.
- Almost 50% of respondents believed that they would be targeted by a ransomware attack in the next 12 months.
The ACAMS report reveals a need for firms around the world to strengthen their sanctions compliance programmes to account for the ransomware threat. In practice, this means implementing suitable cyber-security measures to detect and prevent ransomware attacks, and – should an attack happen – ensuring that they do not violate sanctions compliance regulations by making ransom payments. Firms may address the ransomware sanctions compliance risk in a variety of ways, including:
- Reviewing their networks regularly for vulnerabilities to ransomware and other cyber-attacks.
- Either directly or working with a Managed Security Service Provider (MSSP), implementing appropriate cyber-security measures across their network, including software solutions and employee training.
- Implementing a ransomware sanctions compliance response should an attack take place.
- Involving sanctions compliance teams and anti-money laundering (AML) teams in ransomware compliance policies and procedures.
- Investing in ransomware insurance.
The ACAMS study revealed that only 24% of respondents were aware of the point at which they should elevate a ransomware attack to a financial crime compliance priority, while only 53% of respondents were aware of the terms of their ransomware insurance – and what they needed to do to comply with the terms of their coverage.
Addressing the sanctions compliance risk associated with ransomware requires firms to make decisions about customers and risk factors quickly. To meet that challenge, firms must collect and analyse a vast amount of data, and use that data to inform compliance processes before and during a potential ransomware attack. In practice, this means implementing an automated software platform as part of a sanctions compliance solution.
In September 2022, following OFAC’s sanctions announcement, cyber-security firm Secureworks confirmed the link between the designees and the IRGC. The confirmation followed a similar Secureworks Counter Threat Unit (CTU) investigation in May 2022 that revealed a link between ransomware attacks from the Cobalt Mirage group and the Iran-linked Phosphorus APT group.
As part of a next-generation risk management approach, Labyrinth Intelligence and Labyrinth Screening are two powerful tools used in the fight against ransomware and other types of financial crime. Integrating cutting-edge knowledge graph and machine learning technology, Labyrinth enables firms to make sense of complex, diverse, structured and unstructured data. It also enables real-time searches against thousands of global data sources including sanctions lists, watchlists, and adverse media sources, in 22 languages, seamlessly blending data to deliver actionable compliance intelligence.
In a constantly shifting sanctions and regulatory landscape, Labyrinth offers a way for firms to stay on top of customer activities and adapt quickly to emerging risks such as ransomware.