Ransoms and Sanctions and Fines (oh my!)
Ransomware attacks are happening all the time. Just the other month, the Cl0p ransomware gang claimed responsibility for the exploitation of a zero-day vulnerability in the MOVEit Transfer tool.
The attack is estimated to have impacted hundreds of organisations globally that rely on the software. While it has not been publicly revealed if any UK companies have paid ransoms because of the MOVEit hacks, industry experts believe it is likely that they have.
This attack coincided with an exponential rise in the complexity of the UK sanctions regime. At the time of publication, the UK has around 40 separate sanctions regimes all targeting different people and threats, including one that is cyber-specific.
The restrictions imposed by these sanctions regimes, designed to cut designated persons off from their assets, are fiendishly complex and must be complied with by all UK persons and organisations, wherever located, and any organisation doing business in the UK.
If organisations pay a ransom in a ransomware situation, the Office of Financial Sanctions Implementation (OFSI) has broad enforcement powers to impose large penalties if it later turns out that the ransom was unwittingly paid to a designated person.
But, in the anonymous criminal world of ransomware - where the threat actor's income depends on being untraceable - how would you know if you're paying a designated person?
And, if you decide to pay the ransom, could you be penalised twice; once by the threat actor and once by the sanctions regulator?
Ransomware on the rise
Ransomware, a type of malicious software (malware) planted illegally on a computer system to disable its operation and/or prevent access to data until the victim pays a ransom to regain control or access, has evolved.
Now, threat actors routinely use 'double extortion' where they exfiltrate data from a victim's system before encryption and threaten to sell and/or leak data online if a victim refuses to pay the ransom demand.
These ransomware threat actors, including reportedly state-backed groups, can target any organisation at any time and, depending on what data is accessed, encrypted and exfiltrated, the impact could be business critical. This pressure can lead to organisations being compelled to pay a ransom demand. However, payment of a ransom will bring its own potential risks.
Deciphering the UK sanctions regime
One aspect that makes financial sanctions so complex is that the prohibitions are not just imposed on listed 'designated persons', but on any entity owned, held or controlled by a designated person. In fact, it is prohibited to "deal with funds or economic resources owned, held or controlled by a designated person".1
'Funds', 'economic resources' and 'dealing'2 are all defined as broadly as possible to cut off the designated person, and any entity they own or control, from the financial system.
Ownership and control are also defined very broadly as any entity where the designated person:
- holds directly or indirectly more than 50% of the shares in the entity;
- holds directly or indirectly more than 50% of the voting rights in the entity;
- holds the right directly or indirectly to appoint or remove a majority of the board of directors of the entity; or
- it is reasonable, having regard to all the circumstances, to expect that P would (if P chose to) be able, in most cases or in significant respects, by whatever means and whether directly or indirectly, to achieve the result that affairs of the entity are conducted per a DP's wishes.
This is a very different approach than in the US. In the US, information about any entities owned or controlled by a designated person is known, those entities will be added to the SDN (Specially Designated Nationals and Blocked Persons) list, which operates as a 'one-stop shop' list for designated persons.
In the UK, OFSI has expressly stated that entities owned or controlled by a designated person "may not be designated in their own right, so their names may not appear on the Consolidated List or UK Sanctions List. However, those entities are similarly subject to financial sanctions."3
Ask for forgiveness, not permission… except with sanctions
The OFSI enforcement powers were broadened in 2022 by:
- The amendment of the Policing and Crime Act 20174 to remove the defence that the person did not know (or have the means of knowing) that they were dealing in the funds of a designated person, with the effect that OFSI can impose a penalty of up to £1m per breach even when the paying party was unaware of where the funds end up.
- The upholding of the decision of OFSI to fine TransferGo Limited £50,000 where TransferGo believed they were complying but made "an error in its assessment of whether the payments [to a designated person] were subject to financial sanctions restrictions."5
OFSI can and will impose penalties for paying entities owned or controlled by a designated person despite the difficulties inherent in determining whether an entity is in fact owned or controlled. This is especially true where the payment is to a threat actor, anonymous by design.
OFSI are aware that, in some instances, trying to trace ownership and control is difficult. In order to give comfort to companies faced with this impossible challenge, OFSI released guidance entitled 'OFSI enforcement and monetary penalties for breaches of financial sanctions' which details what OFSI will consider when there has been an unknowing breach of financial sanctions. This guidance acts as a 'how to' when considering paying a ransom to an entity and particularly requires:
- An examination of actual, or the potential for, influence or de facto control over an entity by a designated person; and
- Open-source research on an entity and any persons with ownership of, or the ability to exercise control over, the entity, together with an examination of whether such persons are, or have links to, designated persons such that further investigation may be warranted.
Recent guidance on ransoms and sanctions
Most organisations are unaware that, in conjunction with the US Office of Foreign Asset Control (OFAC), the UK sanctioned seven individuals involved in a group that the National Crime Agency (NCA) assessed to have extorted at least £27 million from UK victims, noting that "[m]aking funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions."
Any organisation paying a ransom runs the risk of making funds available to individuals on the sanctions list. Organisations need to be aware of how best to conduct themselves before being scrutinised by OFSI and the NCA. OFSI will look at the whole of the matter, paying attention to anything that mitigates any breach, including:
- Reporting: Victims should report to and cooperate with the UK Government and law enforcement (such as Action Fraud and the NCSC) at the earliest opportunity, including technical details, information on the ransom payment and accompanying instructions. OFSI will also expect prompt and complete voluntary disclosure of the payment to them as soon as practicable if it is later discovered that a payment has been made to a designated person.
- Pre-payment due diligence: It is expected that checks will be made against the UK's Consolidated List of Financial Sanctions Targets, which includes 15 individuals and five entities designated under the Cyber Regulations. However, this will not identify any entities that are subject to an asset freeze due to ownership or control. Unhelpfully, OFSI does not mandate specific financial sanctions systems or due diligence measures necessary to identify the unknown, instead placing the onus on each victim.
What does that mean for organisations? In practice, there are four key elements to make certain that your organisation stands the best chance of not falling foul of sanctions enforcement when considering making a ransomware payment:
- Ensure that research is carried out to the best extent possible on the method of attack, the threat actor and their affiliates: there might only be limited time available in practice, but making enquiries to the extent possible from open source materials will help to protect the sanctions position.
- Ensure that all research and checks are documented: research is only as good as the records made of what checks were made and when, should a payment to a designated person come to light months or years later.
- Cooperate with authorities: While the prospects of apprehending the threat actor making the ransom demand to your organisation may be slim, informing and cooperating with law enforcement protects your organisation's position, and might in the long run, and in conjunction with other reports, lead to action against threat actors.
- Ensure that all appropriate sanctions requirements are considered, including other international sanctions regulations, for example, if the ransom is denominated in another currency.
Obtaining external help in carrying out sanctions checking might well help in covering these points.
Payment of a ransom is not typically advisable as it helps to sustain the criminal marketplace and further encourages the targeting of UK organisations by criminal actors. Although some organisations believe that making such a payment may restore their business back to usual, it may actually expose such organisations to the risk of fines and even criminal prosecution for breaching sanctions.
Due diligence, risk mitigation measures, including specific sanctions enquiries and early reporting to appropriate bodies are crucial considerations for organisations before payment of a ransom.
As ever, prevention is better than cure. Organisations should implement preventative cyber resilience measures, such as the ability to restore critical data from back-ups, as part of business continuity planning and strategy, and ensure that sanctions due diligence procedures are mature, risk-based and bedded into all parts of operational culture.
An abridged version was published on August 24, 2023 by Law.com.
1 See Regulation 11 of the Cyber (Sanctions) (EU Exit) Regulations 2020
2 See section 60 of the Sanctions and Anti-Money Laundering Act 2018
3 See page 5
4 Amended by section 54 of the Economic Crime (Transparency and Enforcement) Act 2022
5 See paragraph 8