Bridget Q. Choi makes the case for heightened due diligence on ransom payments, stating that, “to ethically respond to ransomware attacks we must consistently file Suspicious Activity Reports with FinCEN.”
In 2019, ransomware incidents grew over 131% percent compared to 2018, and based on Kivu’s own analysis ransomware attacks in 2020 are continuing on an upward trajectory. The insurance industry has been spotlighted in the media for purportedly contributing to the rise in attacks on account that funding ransoms may embolden and encourage cyber criminals. Recent events, like the rise of WastedLocker, a variant designed by Evil Corp, an OFAC sanctioned group, have further complicated the facilitation and payment of ransoms. It is now apparent that not all ransomware attacks are opportunistic acts by criminal groups – many ransomware incidents appear to be orchestrated by sanctioned states such as Iran or North Korea, or by groups that closely work with those states, and as a result have been sanctioned by FinCEN. Those who insure or provide professional services to the victims of ransomware must ensure that their incident response partners are conducting robust due diligence and consistently filing Suspicious Activity Reports (SAR) with FinCEN.
Last year’s ProPublica investigation and subsequent article titled “The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks” cast aspersions on the cyber insurance industry and kicked off a fierce debate. The article claimed that cyber insurance companies prefer to pay a ransom to minimize harm to the affected party, further suggesting insurers may favor paying a ransom due to the high costs of rebuilding and restoring networks anew. But according to ProPublica, insurance companies are “both fueling and benefiting from” ransomware attacks by opting to pay ransoms, in some cases “even when alternatives such as saved backup files may be available.” The article concluded that cyber carriers not only enable ransomware attacks, but financially benefit from them as they gain premiums and sell more policies. Specifically, it accused cyber claims departments of putting profit before the best interest of the insured and the greater societal good by paying attackers even when there are viable alternatives.
The response from the insurance industry was to uniformly disavow the article and investigation as uninformed and poorly researched. Various industry sources argued that the purpose of cyber insurance, in response to a ransomware attack, is to assist in making the organization operational as soon as possible, and that it is a collaborative process between the insurer and insured in deciding whether to make a ransom payment. Carriers made clear that while extortion coverage is standard in most cyber insurance policies, the coverage for actual payment is subjected to, and conditioned upon, the attackers not being on the Specifically Designated National and Blocked Persons List (SDN) maintained by the U.S. Treasury. In short, cyber extortion coverage protects ransomware victims from financial ruin and pays only when necessary, consented to or at the direction of the insured, and when legal.
Facilitation and payment of ransoms has become more complicated as the threat and legal landscape evolved to include potentially known nation-state sponsored attackers or OFAC sanctioned entities. In May 2020, a new ransomware variant called WastedLocker was identified, and the well-respected threat intelligence research group NCC FOX-IT (NCC) put forth evidence that the variant originated from a group calling themselves Evil Corp, which had been added to the OFAC SDN list December 2019. NCC’s report is highly credible as the group was part of the team that contributed to the Department of Justice investigation that lead to the 2015 indictments of individuals linked to Evil Corp. Kivu has corroborated the technical evidence put forth by NCC and has concluded that WastedLocker has at high-risk of being part of the OFAC sanctioned group Evil Corp. It is important that a risk assessment is applied when analyzing whether a transaction could be sanctioned by OFAC as opposed to relying on “conclusive evidence”. It needs to be stated that the burden of proof is on a company seeking reconsideration of an OFAC enforcement action to show that it is not engaged in unlawful transactions. Accordingly, the NCC report is not conclusive evidence, but it is highly credible and proves enough risk to conclude that ransom payment should not be made to WastedLocker attackers.
Engaging with or facilitating payment to a WastedLocker attacker may carry grave consequences in that it could violate U.S. law […]
It is also important to consider the broader implications of facilitating payment to an OFAC actor. In December 2019, OFAC not only placed Evil Corp on its SDN List, but established that the group aided the Russian government, a country that has interfered with the 2016 U.S. election and is a continued active threat to U.S. national security. Many OFAC sanctions are based on the United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments. For example, in concert with OFAC, the Department of Justice charged two of Evil Corp’s members with criminal violations, and the Department of State announced a reward of up to $5M for information leading to the capture or conviction of Evil Corp’s leader, Maksim V. Yakubets. Engaging with or facilitating payment to a WastedLocker attacker may carry grave consequences in that it could violate U.S. law, and more broadly undermine global law enforcement and national security efforts.
It is now incumbent on those transacting in this space to ensure they are abiding by the current legal framework. OFAC has levied sanctions against dozens of foreign nations, entities, and individuals found to present “unusual and extraordinary” threats. Companies must build an OFAC risk framework to make certain that that they do not violate sanctions. All US companies, as well as the individuals who work within companies, fall within the jurisdiction of OFAC, which in an insurance context, could be underwriting, administration, and/or claims people. Additionally, OFAC’s jurisdiction extends to actions overseas, and therefore outsourcing payment to an offshore entity will not bypass potential sanctions. Moreover, non-U.S. persons outside of the national territory may be prosecuted for conspiracy with a U.S. person if they facilitate a sanctionable payment at the request a U.S. person or entities. Lastly, we should not lose sight of the fact that most western countries have their own laws preventing companies within their jurisdiction from transacting with OFAC sanctioned persons, countries or entities.
Given these events, it is crucial to confirm that the vendor retained to facilitate the ransom payment is a U.S. Treasury registered Money Service Business (MSB) and that its practice is to file a Suspicious Activity Report (SAR) on every ransom facilitation. FinCEN (Financial Crimes Enforcement Network, under United States Department of Treasury) allows “money transmitters” to facilitate cryptocurrency ransom payments when it registers as an MSB. MSBs must demonstrate to the Treasury maintenance of internal safeguards as well as robust anti-money laundering and OFAC due diligence procedures. Stakeholders are assured that when facilitating a ransom payment legally with a registered MSB, they will not be paying a sanctioned actor or entity as an appropriate risk framework is in place. Service providers that are not registered MSBs are violating well established U.S. law in facilitating ransom payments.
To continue to protect ransomware victims from financial ruin, and to make ransom payments that are legal, steps must be taken by all stakeholders to support robust law enforcement and to commit to due diligence on attackers.
It is equally important for stakeholders to establish, as part of their due diligence, that it is the practice of the MSB to file a SAR with FinCEN on every ransomware payment or facilitation. When filing a SAR, the name of the client is anonymized and technical hashes and indicators of compromise (e.g. email addresses, IP addresses, cryptocurrency wallet ID’s, etc.) of the attack are provided to FinCEN. The filing of SARs is how FinCEN obtains data to aggregate, analyze and utilize the evidence collected in each ransomware matter, and is its mechanism for addressing the growing ransomware threat and the related national security issues like nation-state attacks.
It is imperative that stakeholders confirm the MSB has a policy for compliance. Not every MSB finds it expedient to file a SAR on every ransomware facilitation making it incumbent on those who create vendor panels to confirm this point. Opportunities for collaboration in the fight against the illicit use of virtual currencies in ransomware are too important to ignore, especially as the complications around paying a ransomware attacker grows. Better data provided to FinCEN provides for more robust law enforcement and national security efforts, and ultimately better policy decisions related to cyber-crime. To continue to protect ransomware victims from financial ruin, and to make ransom payments that are legal, steps must be taken by all stakeholders to support robust law enforcement and to commit to due diligence on attackers.
 “Beazley Breach Briefing – 2020”, (March 2020), www.beazley.com/news/2020/beazley_breach_briefing_2020.html
 Renee Dudley, “The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks” Propublica, (2019), https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks
 The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
 Stefano Antenucci, “WastedLocker: A New Ransomware Variant Developed by The Evil Corp Group”, (June 2020), https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
 FinCEN is a bureau of the U.S. Department of the Treasury. FinCEN carries out its mission by receiving and maintaining financial transactions data; analyzing and disseminating that data for law enforcement purposes; and building global cooperation with counterpart organizations in other countries and with international bodies.
 Dudley at https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks
 Id. at https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks
 Jonathan L. Schwartz, Marc S. Voses, James M. Paulino II, “Cyber Insurance: Enabler of Ransomware Events? Not Quite”, Goldberg Segalla Data Privacy Blog (September 6, 2019), https://dataprivacyblog.com/cyber-insurance-enabler-of-ransomware-events-not-quite/; Dan Reynolds,” Make Sure Your Data Recovery Firm Is Acting in Your Best Interests; A Smart Insurer Can Help”, Risk & Insurance, (2019), https://riskandinsurance.com/data-recovery-firms-and-ransomware/; Daniel Solove, “Ransomware and the Role of Cyber Insurance: An Interview with Kimberly Horn”, LinkedIn, (April 9, 2020), www.linkedin.com/pulse/ransomware-role-cyber-insurance-interview-kimberly-horn-daniel-solove/
 NCC Fox-It group has been researching Evil Corp for years and is a qualified expert on this group. Chandler, Andy, “FBI announces Dridex gang indictment and praises Fox-IT,” Fox-IT, 13 October 2015, https://www.fox-it.com/en/about-fox-it/corporate/news/fbi-announces-dridex-gang-indictments-praises-fox/, accessed 7 February 2019.
 Press Release of the United States Department of Justice, “Bugat Botnet Administrator Arrested and Malware Disabled” (October 13, 2015), www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled
 Matthew Graves, Brian Young, “Treasury Enforcement Actions: Civil Enforcement with Criminal Consequences” American Bar Association, Business Law Section(April 22, 2019), businesslawtoday.org/2019/04/treasury-enforcement-actions-civil-enforcement-criminal-consequences/#_ftn7
 In addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government,” the agency’s statement reads. “As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence organizations.”See, United States Treasury Press Release, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware” (December 15, 2019), home.treasury.gov/news/press-releases/sm845
 See, “Joint DHS, ODNI, FBI Statement on Russian Malicious Cyber Activity”, (December 26, 2016), www.dni.gov/index.php/ctiic-who-we-are/leadership/308-about/organization/information-sharing-environment/news/2108-joint-dhs-odni-fbi-statement-on-russian-malicious-cyber-activity; See also Senate Report, “Report of the Select Committee on Intelligence United States Senate on Russian Active Measure Campaign and Interference in the 2016 U.S. Election Volume 1: Russian Efforts Against Election Infrastructure with Additional View”, www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf
 Matthew Rosenberg, Nicole Perlroth and David E. Sanger “Chaos Is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020” (Published Jan. 10, 2020Updated July 16, 2020), www.nytimes.com/2020/01/10/us/politics/russia-hacking-disinformation-election.html; See also, “Digital Media Analysis for Durham County Board of Elections”, s3.amazonaws.com/dl.ncsbe.gov/Investigations/CISA_Durham_2016_Report_Released_December_30_2019.pdf
 Individuals and entities sanctioned by OFAC are known collectively as “Specially Designated Nationals” (SDNs). OFAC maintains an updated list of SDNs that is separate from its various regulations outlining country-specific prohibitions on trade. Specially Designated Nationals and Blocked Persons List
 See, Executive Order 13694 of April 1, 2015; 80 FR 18077, 18077-18079
 See analysis at casetext.com/analysis/united-states-of-america-v-reza-zarrab-the-long-reach-of-us-sanctions-may-have-just-gotten-longer?sort=relevance&resultsNav=false; and 18 U.S. Code § 371, Conspiracy to commit offense or to defraud United States
 See, 31 CFR § 1010.100(ff)(5)(i)(A), (“Money transmission services” means “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”)
 See, generally Bank Secrecy Act, 31 U.S.C. §§ 5311-5314; 5316-5332 and 12 U.S.C. §§ 1829b, 1951-1959.
 See, “FinCEN Fines BTC-e Virtual Currency Exchange $110 Million for Facilitating Ransomware, Dark Net Drug Sales”, (July 27, 2017), www.fincen.gov/news/news-releases/fincen-fines-btc-e-virtual-currency-exchange-110-million-facilitating-ransomware; FinCEN Guidance, FIN-2019-G001, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (May 9, 2019) (“May 2019 Guidance”); see also, 31 CFR § 1022.320; https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf.
 Although FinCEN has a statutory minimum for MSB filings, FinCEN has advised Kivu that a best practice is to file a SAR on all ransomware payments.