News & Politics

Thinking of Making a Ransomware Payment? You Could Run Afoul of Iran Sanctions, DOJ Says

Ransom malware, or ransomware, is a growing threat to businesses and individuals. It’s software that infects a computer system and prevents users from accessing their files and using their computers. The only way to turn it off is to pay the company that infected the computer a ransom to remove it. But doing so could get you in hot water with the federal government, according to a recently unsealed grand jury indictment.

Ransomware infects a computer through an unsolicited email that contains attachments that are opened or links that are clicked on. These are typically disguised to look perfectly legitimate, sometimes even using an email address from a known acquaintance or a business we frequent.

One reason so many people were up in arms when Facebook accessed the address books of their users to identify friends is that these relationships can end up in the hands of unknown users who can send email from a friend’s address.

Once the ransomware infects a computer, the criminals often find a receptive company or individual that’s willing to pay to remove it and restore access to their files. Often, the cost of losing data or the loss of a computer can be more than the payment being demanded. The payments are then made, often using cryptocurrency, a digital payment system that avoids the use of credit cards and preserves some anonymity.

But paying some of these criminals may now be illegal. The Department of Justice this week unsealed a grand jury indictment against two Iranian hackers who are alleged to be responsible for the SamSam ransomware attacks. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) identified the cryptocurrency addresses of those individuals who were involved in converting ransomware cryptocurrency payments to Iranian currency.

They announced, “While OFAC routinely provides identifiers for designated persons, today’s action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals.”

In this instance, the cryptocurrency addresses belong to two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who the U.S. government explained have facilitated the exchange of ransomware payments into Iranian rial. Their crypto accounts contain 5,901 bitcoins — more than $23 million U.S. dollars. They have now been added to the government’s list of individuals that U.S. companies and individuals are blocked from doing business with.

Specifically, OFAC notes, “As a result of today’s action, persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions. Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.”

This means that anyone whose computer is infected with ransomware would be in violation of U.S. law and could be fined, should they try to make a payment. This also affects private companies that help people deal with ransomware, including negotiating on their behalf to make these payments.

One of the many companies that offer this service is Coveware, which positions itself as a first responder to help with ransomware recovery. In a statement to BleepingComputer, Coveware CEO Bill Siegel said:

OFAC has made it clear that any U.S. business that sends cryptocurrency to wallet address, regardless of the reason, needs to check the OFAC list first. Paying for ransomware with cryptocurrency had previously been tacitly acknowledged as a necessity, despite the legal and regulatory opacity of the activity.  Treasury has officially taken the first steps towards setting a regulatory minimum standard of care for ransomware payments, and it’s a big step up.

That means those infected with ransomeware need to be careful about making payments. The penalties could be greater than the ransomeware demands.