U.S. names North Korea as a main culprit in ransomware attacks

The U.S. Treasury on Tuesday issued an updated advisory highlighting the risks associated with ransomware payments, while naming North Korea as one of the main culprits behind such attacks.

The notice follows advisories from the U.S. Treasury issued in 2019 and 2020, which identified malicious cyber activities conducted by the North to collect intelligence, compromise defense systems and generate revenue.

The Tuesday advisory issued by the Treasury's Office of Foreign Assets Control (OFAC), directed towards companies which facilitate payments on behalf of victims of ransomware, warned that such businesses could risk violating Treasury sanctions, in addition to encouraging further ransomware attacks.

Ransomware refers to malicious software installed on target computers designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring access to systems or data.

In some cases, in addition to the attack, cyber actors threaten to publicly disclose sensitive files. The cyber actors then demand a ransomware payment, usually through virtual currency, in exchange for a key to decrypt the files and restore access to systems or data.

The advisory named North Korea as the likely sponsor behind the 2017 WannaCry 2.0 ransomware, which infected approximately 300,000 computers in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal organization backed by North Korea.
Victims of the WannaCry ransomware attack included Boeing, Honda, FedEx and the National Health Services of both England and Scotland.

While the Treasury's advisory does not carry the force of law, it makes clear that companies that facilitate payments from victims of ransomware to cyber-criminal organizations risk violating U.S. sanctions on the state entities behind the attacks.

"U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC's Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes," the advisory said.

The Treasury also warned that victims of ransomware attacks are encouraged to cooperate with U.S. investigative authorities, and that timely reporting and voluntary self-disclosure would be a mitigating factor in any response from the authorities.

"In the case of ransomware payments that may have a sanctions nexus, OFAC will consider a company's self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies," the advisory said.

BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]