OFAC the Ransomware Gangs

Ransomware is in the news once again. Last week, the Washington Post reported that a “cyberattack” on CDK Global, a provider of software-as-a-service, crippled thousands of car dealerships’ sales floors by disabling essential tools. This, like so many other incidents, was a ransomware incident in which the attackers demand that CDK pay or their systems won’t be restored. CDK reportedly plans to pay the several million dollar ransom.

For an individual company, it can make sense to pay, as a company that pays undoubtedly believes this will cost less than evicting the intruder and restoring from backups. But allowing victims to pay only encourages the purveyors who have extorted over a billion dollars in 2023 alone.

Paying any ransomware purveyor should be illegal, and, if OFAC (the Office of Foreign Assets Control) and the White House wish to act, it can be. OFAC already makes an effort to identify individual groups for sanctions, making it illegal to pay those particular ransomware gangs with a significant effect.

The recent International Counter Ransomware Initiative joint statement almost gets there but doesn’t go far enough. In it, a coalition of over 50 countries agreed that governments should not pay ransoms, a recognition of the fact that if governments made and enforced such a commitment, then ransomware purveyors would have no incentive to target governmental systems.

Although the statement “encourages” companies not to pay ransoms, the initiative lacked a collective push to ban the practice of paying ransoms. A discussion among participants afterward made it clear why: It is viewed as an individual business decision on the part of victim companies.

Yet, paying ransoms can’t be viewed as just an individual business decision if the goal is to stop ransomware altogether. When Caesars Entertainment was attacked by Scattered Spider, the company paid $15 million in ransom. MGM, by contrast, refused to pay the same gang and suffered $100 million in disruptive effects. In other words, Caesars made an individual business decision to pay, but the consequences extend far beyond one business. Caesars’s payment made the Scattered Spider gang $15 million richer, and, critically, now every ransomware gang has an incentive to keep attacking. Although Caesars individually benefited from paying the ransom, the collective industry is now worse off as the ransomware gangs are both richer and emboldened to continue to target such companies.

Enhanced cybersecurity measures go only so far. We can’t “cyber-harder” our way out of this situation. Attackers always have innate advantages. The only viable solutions are economic: Make sure there is no reason why attackers would want to conduct these attacks in the first place by removing any possibility of a payday.

Thus, stopping ransomware requires collective action: Nobody can pay. Similar to U.S. efforts to stop foreign bribery, any individual payment is actually a rational action, making it impossible to stop, short of making all ransom payments illegal.

The legal framework for making ransomware payments illegal largely already exists. The ability for OFAC to designate individual ransomware gangs is articulated in Executive Order 13694 and 13757. In a nutshell, OFAC can designate those responsible for cyber-enabled activity largely originating from outside the United States that can affect various aspects including economic health and financial stability—in other words, ransomware gangs.

OFAC’s designation of individual ransomware gangs makes the payment process more difficult. One of the primary roles of a “ransomware negotiator” is to pinky-swear that the particular ransomware gang being paid is not on the OFAC designated list. Of course, the problem is these gangs quickly change and rebrand in part due to OFAC’s actions.

In the CDK Global case, the attacker is reportedly the BlackSuit group, which is reportedly a rebadge of Royal Ransomware, which is reportedly a successor to the sanctioned Conti ransomware gang. But BlackSuit isn’t on the OFAC designation list (yet), so CDK can credibly claim they aren’t violating OFAC’s sanctions if they pay. CDK is in the clear if and when OFAC later designates BlackSuit in addition to Conti or TrickBot.

Which means that OFAC needs a change in tactics: Every ransomware group needs to be designated by OFAC as a sanctioned entity in the absence of formal identity of those behind the group, making it illegal for all U.S.-connected companies to pay ransomware gangs.

OFAC alone can do it by acting quickly, or it may require a slight clarification of the executive order, but the strategy is simple: Assume every ransomware gang has a significant non-U.S. presence.

Computer attacks don’t respect borders, and just as Rule 41 was amended to account for the situation where location could not be determined, the president might amend the executive order to clarify that, in the lack of jurisdictional information, OFAC can simply assume that an individual or group has substantial connections outside the United States.

But even without amending the order, OFAC could simply set up a pipeline to designate every ransomware gang as soon as it is identified as a collective, rather than attempting to deanonymize the individuals. It would make clear that the pinky-swear by ransomware negotiators is false: The group is already designated, making it illegal for a U.S. business to pay.

The only fly in the ointment is the possibility of gangs with a primary U.S. presence. In the case of Caesars and MGM, reports suggest that at least some Scattered Spider gang members are U.S. based, while others are in the U.K. And who knows where else the members operate from? It is certainly geographically broad enough that I’ll argue there is a significant foreign nexus. But what if there isn’t?

The solution to the problem of domestic gangs is simple: The lawyers for the collective can simply challenge the designation. When the gang’s lawyers appear in a D.C. courtroom and make the case that this particular gang is of primarily domestic origin, I’m quite certain the court will happily listen and issue an injunction making that particular gang exempt from OFAC’s designation. I’m also sure the FBI would then be happy to talk to the gang’s lawyers about the crime-fraud exception.

The only other groups that should have standing to challenge the designation are active victims. But a ransomware victim is under a time crunch, and the time it would take to do even a prima facie showing that a particular gang does not have a significant foreign nexus would take more time than a victim would likely have.

“Designate all the ransomware gangs” would make it practically illegal to pay. All gangs effectively meet the criteria for OFAC designation already, and, on the off chance that one particular gang does not, there’s a vehicle to challenge such designation.

We need to make it illegal to pay ransomware gangs because as a country we need to be asking ourselves: Do we want ants ransomware?

Because letting companies pay is how we get ransomware.