On February 9, 2023, the UK announced the designation of seven individuals said to be part of a Russia-based cybercrime gang under the UK’s thematic cyber sanctions regime pursuant to The Cyber (Sanctions) (EU Exit) Regulations 2020. The designations were coordinated with the US. Concurrently, HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”), in partnership with other HM Government (“HMG”) organisations, published guidance on sanctions and ransomware, which addresses the impact of ransomware payments, cyber resilience, and HMG’s approach to enforcement of financial sanctions breaches related to ransomware attacks.
According to OFSI’s Designation Notice, the individuals targeted by the UK are Russian nationals: (1) Vitaliy Kovalev; (2) Valery Sedletski; (3) Valentin Karyagin; (4) Maksim Mikhailov; (5) Dmitry Pleshevskiy; (6) Mikhail Iskritskiy; and (7) Ivan Vakhromeyev. The same individuals were targeted by the US, pursuant to Executive Order 13694, as amended by Executive Order 13757.
Ransomware groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been responsible for the development and deployment of Trickbot, Anchor, BazarLoader, BazarBackdoor, the ransomware strains Conti and Diavol, and the deployment of Ryuk ransomware.
According to a HMG press release, all seven individuals are cyber criminals “associated with the development, or deployment, of a range of ransomware strains which have targeted the UK and US.” In particular, the National Crime Agency (“NCA”) identified that (1) 104 UK victims of the ransomware strain known as Conti paid approximately £10,000,000 and (2) 45 UK victims of the ransomware strain known as Ryuk paid approximately £17,000,000.
The Conti ransomware strain was behind attacks that targeted hospitals, schools, businesses, and local authorities, including the Scottish Environment Protection Agency. The group behind Conti also was one of the first cyber crime groups to back Russia’s war in Ukraine, voicing their support for the Kremlin within 24 hours of the invasion in February 2022. Key members of the group have been assessed by the National Cyber Security Centre, a part of GCHQ (“NCSC”), as “highly likely to maintain links to the Russian Intelligence Services from whom they have likely received tasking.”
Ransomware has been identified as a tier 1 national security threat in the UK, with attacks against businesses and public sector organisations increasingly common. While the ransomware group responsible for Conti disbanded in May 2022, reports suggest that members of the group continue to be involved in a number of new ransomware strains that threaten UK security.
The designations have been described as the first wave of a new coordinated action against international cyber crime and follow a complex, and ongoing, investigation led by the NCA, which will continue to seek to disrupt the ransomware threat to the UK. In imposing sanctions on these individuals, UK Foreign Secretary, James Cleverly, stated that “[b]y sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.”
Following their designations, the individuals are subject to an asset freeze and UK travel ban. It is also prohibited for individuals and entities subject to UK sanctions jurisdiction to make funds or economic resources available to, or for the benefit of, these individuals (e.g., by paying a ransom, including using crypto assets).
Sanctions and Ransomware Guidance
In coordination with these designations, OFSI also has published Guidance on Ransomware and Financial Sanctions (“Ransomware Guidance”). The Ransomware Guidance states that HMG “does not condone making ransomware payments and promotes the strengthening of cyber resilience measures to prevent and mitigate against ransomware attacks.”
Responding to a Ransomware Attack
When dealing with a ransomware attack, the Ransomware Guidance suggests that the following steps should be considered:
- disconnect the infected device from all network connections, whether wired, wireless, or mobile phone based;
- use HMG’s cyber incident reporting portal to report the attack as soon as possible;
- implement effective due diligence to mitigate the risk of a financial sanctions breach, including attempting to restore from back-ups to obviate the need to consider making a ransom payment to a UK designated person;
- consider the applicability of other countries’ sanctions laws (e.g., consider whether you are dealing with an individual, entity, or country that is subject to sanctions under another applicable jurisdiction);
- submit a report to the Information Commissioner’s Office if a breach under the UK GDPR or Data Protection Act 2018 has occurred;
- if applicable, report the incident to your sector’s regulator to fulfil any applicable regulatory obligations you might have; and
- seek independent legal advice where necessary.
Sanctions Risks Associated with Ransomware
The Ransomware Guidance explains that paying a ransom to a UK designated person might also expose the victim(s) of a ransomware attack, and organisations facilitating ransomware payments on behalf of the victim (e.g., banks and crypto asset businesses), to civil and criminal penalties. Intentionally participating in activities that circumvent, enable, or facilitate the contravention of an asset freeze targeting a UK designated person also is prohibited.
More generally, some UK sanctions regimes prohibit and restrict the transfer of certain funds to, or from, a particular jurisdiction. Facilitating a ransomware payment may breach these sanctions, or the law of other jurisdictions.
Mitigating the Risks of Financial Sanctions Breaches Involving Ransomware Attacks
The Ransomware Guidance advocates the adoption of effective due diligence measures and the NCSC’s preventative cyber resilience measures to mitigate the risks of a financial sanctions breach, including the NCSC’s:
- guide to understanding ransomware and advice on protection against ransomware attacks;
- Cyber Incident Response assurance scheme;
- Exercise in a Box tool, which helps organisations to understand their resilience to cyber attacks by testing and practicing responding to a cyber attack;
- Early Warning service, which provides organisations with information about threats to their network;
- Cyber Security Toolkit for Boards, which is designed to aid board members in getting to grips with cyber security;
- Small Business and Small Charity Guides, containing advice on protecting against the most common cyber attacks;
- guidance on responding to, and recovering from, a ransomware attack; and
- guidance for considering cyber insurance.
With respect to due diligence measures, the Ransomware Guidance states that businesses (including businesses that engage with victims of ransomware attacks by facilitating or processing ransomware payments) should assess their exposure to sanctions and ransomware risks and implement due diligence measures that appropriately manage any identified or anticipated risks. While OFSI does not mandate specific financial sanctions systems, controls, or due diligence measures, it expects businesses to ensure that they have put in place sufficient measures to avoid committing a breach of financial sanctions.
Victims of a ransomware attack are encouraged to use HMG’s cyber incident reporting portal to identify the correct organisations to which to report any ransomware attacks.
HMG’s Approach to Enforcement
The Ransomware Guidance states that suspected ransomware payments to a UK designated person should be reported to OFSI as soon as practicable and that “[a] prompt and complete voluntary disclosure of a breach of financial sanctions by a person who has committed a breach will generally be a mitigating factor when OFSI assesses the case and any potential enforcement action.”
In line with OFSI’s general approach to enforcement, each suspected breach will be treated on its own merits and assessed on a case-by-case basis. In assessing a case, the Ransomware Guidance states that OFSI will take a range of factors into account, including the following aggravating and mitigating factors:
|Aggravating Factors||Mitigating Factors|
|Failure by a regulated professional to comply with regulatory standards.||A report by the victim of a ransomware attack through HMG’s cyber incident reporting portal.|
|Failure to engage with law enforcement during and after a ransomware attack.||A prompt, complete, and timely voluntary disclosure to OFSI of any ransomware payment to a UK designated person by the victim of the attack.|
|Repeated, persistent or extended breaches by the same person.||A prompt, complete, and timely voluntary disclosure to OFSI by a third party that has facilitated a ransomware payment to a UK designated person.|
|Provision of all relevant information (e.g., technical details, information on ransom payment, payment instructions) to law enforcement.|
In addition to imposing a range of civil penalties, including civil monetary penalties, for breaches of financial sanctions in relation to ransomware attacks, OFSI can refer breaches to the NCA for criminal investigation in appropriate cases. The Ransomware Guidance makes clear that an investigation by the NCA is very unlikely to be commenced into a ransomware victim, or those involved in the facilitation of the victim’s payment (e.g., banks, crypto asset businesses, cyber incident responders, insurance, and negotiation service providers), provided that there has been proactive engagement as described in the mitigating factors above.
Moreover, the Ransomware Guidance states that, if the mitigating steps outlined above are followed, OFSI and the NCA would be more likely to resolve a sanctions breach involving a ransomware payment through means other than a monetary penalty or criminal investigation and prosecution. For more information on how these developments could impact your organisation, contact the author of this post, Alexandra Melia, in Steptoe’s Economic Sanctions team in London.