Conti Ransomware hacked computer system of more than 1,000 victims around the world. They locked the victims' files and collected more than $150 million in ransoms to restore access.
Moreover, the ransomware gang stole victims' data, published samples on dark website and threatened to publish more unless they were paid.
They have inflicted a widespread of damage, but they still weren't sanctioned.
Isn't that surprising? Why is it so difficult to sanction ransomware groups?
Why Is It Difficult To Sanction Ransomware Groups?
According to current and former Treasury officials, putting a ransomware group on a sanctions list isn't as simple as it might seem since sanctions are only as good as the evidence behind them.
The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury mostly relies on information from intelligence and law enforcement agencies, as well as media reports and other sources.
But when it comes to ransomware, OFAC has typically used evidence from criminal indictments, such as that of the alleged mastermind behind the Russian-connected Evil Corp cybercrime gang in 2019.
The problem is such law enforcement actions can take years.
Michael Lieberman, assistant director of OFAC's enforcement division said that "Attribution is very difficult."
To evade sanctions and law enforcement, ransomware groups are constantly changing their names.
In fact, on Thursday, the Bleeping Computer reported that Conti Ransomware itself has "officially shut down their operation." The report, which cited information from a threat-prevention company called AdvIntel, stated that "Conti's gone, but the operation lives on."
The passing out of Conti's name gives another reason why it's hard to sanction ransomware groups: Putting a group on a list of sanctioned entities without also naming the individuals behind it or releasing other identifying characteristics could cause hardship for bystanders, as per Ars Technica.
By imposing sanctions, the federal government would cripple victimized organizations. These victimized organization might suffer disclosure of trade secrets or other sensitive information, or might have to shut down if they couldn't recover their locked files.
On the other hand, if they could pay the ransom, the hacker would supply a key to unlock the files and pledge to delete stolen data.
Read Also: Conti Ransomware Group Adds Nordex to List of Victims
How Should Victims Respond to a Ransomware Attack?
According to Ars Technica, the federal government has long discouraged the payment of ransom and in recent years has put the professionals who work with ransomware victims on notice.
The Treasury Department issued an advisory in October 2020 saying that "companies that facilitate ransomware payments to cyber actors on behalf of victims" may "risk violating OFAC regulations."
In 2021, a second advisory was issued which seemed to acknowledge that victims sometimes make payments that violate sanctions. In these special cases, victims and their representatives may receive leniency from the agency if they quickly report the incident and payment to OFAC.
Actually, a lot of victims in the past choose not to report attacks to the FBI out of fear that the intrusion would become public or the FBI would instead investigate the company itself.
With the new advisory, the Treasury Department hopes that more victims to work with law enforcement. This, in turn, could lead to more indictments and more sanctions.
This strategy of the Treasury Department seems to be working as more victims are now reporting incidents to law enforcement.
Related Article: New Ransomware Gang 'Black Basta' Emerges - Here's How To Fight Them