In today’s world of cyber threats, many companies have fallen victim to ransomware attacks.  Corporate boards and senior executives face serious issues when their companies are attacked. The payment of ransom is not only costly, but presents significant ethics and compliance issues.  Many companies often conduct ransomware exercises to develop common scenarios and potential responses.  It is an issue worthy of board, senior management and compliance attention.

The Justice Department is devoting resources and expertise to prosecution of cyber criminals, especially in the ransomware arena.  In a recent prosecution, the Justice Department announced the indictment of a Russian national, Mikhail Pavlovich Matveev, who resides in Russia, for three “massive” and “catastrophic ransomware campaigns, including police departments in Washington, D.C. and New Jersey, and various nonprofits.   

Matveev stole data and threatened to expose it unless the victims paid him. The indictment charges him with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers.  In particular, Matveev is charged with conducting three separate ransomware schemes – LockBit, Babuk, and Hive.

Matveev’s attacked 2,800 victims in the United States and made over $400 million in ransom demands and collected $200 million in payments from the victims.

Victims of the attacks ranged from small businesses to government agencies, not-for-profit programs, educational and religious institutions in New Jersey, Kansas, California, Colorado, New Hampshire, Oregon, Washington, D.C., and Italy.  For example, cyberattacks were launched against a non-profit behavioral health organizations and two law enforcement agencies: the Prospect Park Police Department in Passaic County, New Jersey, and the Metropolitan Police Department in Washington, D.C. Matveev leaked law enforcement documents containing information about open investigations, joint operations with federal agencies and sensitive human resources details.

The ransomware attacks were executed in a similar way — by targeting vulnerabilities in the victims’ computer systems by hacking or by purchasing stolen access credentials. After securing access, the attackers deployed the ransomware to encrypt and steal the victims’ data. Matveev and his co-conspirators then sent a ransom note demanding payment in exchange for the data or for not releasing it publicly. If the victim did not pay, the data would often be posted on a public website.

Matveev operated under several aliases, including Wazawaka, m1x, Boriselcin and Uhodiransomwar.  Matveev has not been apprehended. The Department of State has issued an award of up to $10 million in exchange for information that leads to Matveev’s arrest and conviction.

Intentional damage to a protected computer carries a statutory maximum of 10 years in prison. Threats relating to a protected computer carries a statutory maximum of 10 years in prison. The charges also carry potential financial penalties.

OFAC Guidance on Ransomware Payments and Sanctions Compliance

In September 2021, OFAC issued an updated advisory on sanctions risks and ransomware payments.  OFAC’s guidance superseded an earlier OFAC advisory issued in 2020. The updated guidance focuses on victim organizations but extends to financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations after a cyberattack.

OFAC continues to oppose ransomware payments to cyber actors and has underscored its commitment to bring enforcement actions when ransomware payments violate applicable sanctions. The updated advisory from 2021 urges organizations to implement proactive strategies before an attack and to promptly report a ransomware attack law enforcement and other relevant agencies.