British authorities have never detected a breach of ransomware sanctions — but is that good or bad news?
The agency responsible for monitoring financial sanctions in Britain has never detected an illicit payment to an entity embargoed under the country’s counter-ransomware regime, according to information obtained by Recorded Future News.
The sanctions regime explicitly prohibits victims from making any extortion payments to the 29 individuals and 5 entities listed under the United Kingdom’s cyber sanctions law — the Cyber (Sanctions) (EU Exit) Regulations 2020 — unless the victim obtains a license from the Office of Financial Sanctions Implementation (OFSI).
In the case a victim does obtain a license, the payment would not be considered a breach of the sanctions. OFSI told Recorded Future News it does not disclose details about the licenses it issues, but guidance for victims published by the agency states “ransomware payments are unlikely to be considered appropriate” for a permit.
In response to a freedom of information request, the compliance authority said it could “confirm that according to our records, OFSI has received no reports of breaches of the [cyber sanctions] involving payments being made to a person designated by the United Kingdom.”
That no violations have been spotted raises questions over whether the sanctions are stopping victims from making extortion payments or if the country’s monitoring efforts are just failing to catch them. The picture is further complicated by the difficulties of attributing attacks made under one group’s name to individuals or entities sanctioned under another — an issue that would likely be the subject of a lengthy legal battle.
But according to multiple operational sources involved in the fight against ransomware, these kinds of questions miss the true use that law enforcement is putting the sanctions to — which is not simply about frustrating the payments.
Will Lyne, the head of cyber intelligence at the UK’s National Crime Agency (NCA), told Recorded Future News his organization “assessed that sanctions have hampered the ability of cyber threat actors to monetise their cyber criminal activities.” But, more significantly, Lyne added that the agency’s use of sanctions also “contributed to sowing discord within certain groups.”
This additional function of the sanctions regime is prized by the NCA and international partners. Naming the cybercriminals undermines their anonymity and adds stress to potential relationships between them and colleagues, as well as with corrupt officials in jurisdictions such as the Russian Federation where they may be expected to provide kickbacks or to receive tasking from the security services.
Choosing who to sanction also offers flexibility for a range of covert actions. Keeping a name off of the sanctions list can allow suspects a false sense of security to travel abroad if an arrest is planned, or it can provide leeway if a suspect is cooperating, officials have told Recorded Future News. A sense of injustice between those who have been sanctioned and any co-conspirators left off the list can also cause divisions within the organized crime groups.
The point of the sanctions isn’t to add more pressure to victims, but to provide law enforcement agencies with an additional tool to disrupt business as usual for the ransomware gangs. James Babbage, who joined the NCA last year as its director general for threats, told Recorded Future News: “Our aim is to reduce the volume and severity of attacks by making it more difficult for cybercriminals to operate.”
Last February, when the United Kingdom and United States sanctioned seven people connected to a single network behind the Conti and Ryuk ransomware gangs, the vice president of research at Secureworks, Don Smith, said the move represented “positive, coordinated steps in the global fight against ransomware.”
The sanctions “give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions,” Smith added.
“Disruption efforts on financial transactions will be related to known assets, such as cryptocurrency wallets and bank accounts used by the designated individuals,” said the Secureworks expert, meaning that “accounts, funds or other economic assets” can be frozen without holding a sword over the heads of ransomware attack victims.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.