The scenario is a sad one, but all too frequent: you come to the office and learn that all your company's computers and servers are encrypted. You don't know if your clients' data is safe. The only image your computers will display is a mocking ransom note, directing you to immediately pay thousands of dollars, otherwise the attacker will delete your data. To add insult to injury, you must pay in Bitcoin, a virtual currency made famous for its use as tender in Dark Web drug transactions and underground arms sales. So you ask your IT department to get some Bitcoin and make the payment. What could be worse?
For one thing, your payment may run afoul of U.S. anti-money laundering laws. In particular, any company that makes such a payment risks being categorized as a "money service business" (MSB) under the Bank Secrecy Act (BSA) and corresponding U.S. Treasury regulations. MSBs are treated as financial institutions, like banks, under the BSA. A company that qualifies as an MSB must comply with a whole host of statutes and regulations.
The regulations are strict, and the penalties for noncompliance are harsh. Significantly, MSBs must register with the Department of Treasury.1 Thereafter, certain transactions will require the MSB to report specific details about the transaction to the Treasury. For example, MSBs must report transactions that, in their aggregate, exceed $10,000 as well as suspicious transactions that are relevant to a possible crime.2
Because the ransom demanded in a typical ransomware attack is rarely less than several Bitcoin ($3,989.35 as of today), both requirements likely will be triggered when paying a ransom. Further, the MSB may be required to verify and document the identity of the individuals involved in the transaction – a tall order when dealing with criminal actors intent on concealing their identities.3
A company that runs afoul of these requirements risks civil and criminal prosecution by the
U.S. Treasury and the Department of Justice. These agencies have prosecuted domestic and foreign companies engaged in making payments to attackers on behalf of victims without registering as MSBs with Treasury. In its press release for one such 2017 action, the FBI did not hide its ire:
"[The parties] knowingly exchanged cash for Bitcoins for victims of 'ransomware' attacks . . . n doing so, [the parties] knowingly [enable] the criminals responsible for those attacks to receive the proceeds of their crimes, yet, in violation of federal anti-money laundering laws, [the parties] never filed any suspicious activity reports regarding any of the transactions."
So, what's the answer? How can companies dealing with a ransomware attack navigate the maze of regulations in a tense and time-sensitive situation? The first step should be to consult with knowledgeable legal counsel and competent, specialized recovery firms that are capable of negotiating and paying the ransom without running afoul of anti-money laundering laws. Not only should these firms be registered with the U.S. Treasury, they should already have a Bitcoin wallet readily available and sufficiently funded to promptly make payment, as needed. From delaying payment and risking further retribution from an attacker, to running afoul of federal anti-money laundering laws, proceeding blind or choosing the wrong partners could make a bad situation worse.
1 31 CFR 1022.380(b)(4).
2 See 31 CFR 1010.311–.330.
3 31 CFR 1010.312.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.