How Ransomware Gangs Avoid Sanctions


Katherine Gorham
June 20, 2022

How Ransomware Gangs Avoid Sanctions

The U.S. has a way to cut off funding to some ransomware gangs, and it works—but it’s seldom used. If the U.S. has economic sanctions against a nation (Iran, Russia, and North Korea, for example) then it can be illegal for American companies to deal with organizations from that nation. This can include paying ransom for ransomware. This cuts into criminals’ revenues, and they take notice.

So why isn’t this a more widely-used practice? This question is explored in Why it’s hard to sanction ransomware groups. TL;DR? It’s usually a problem of evidence.

The article explains that “Only a small handful of … alleged ransomware criminals and groups attacking US victims have been named on sanctions lists over the years by the Treasury Department’s Office of Foreign Assets Control” (OFAC). OFAC typically uses evidence from criminal indictments, “…but such law enforcement actions can take years.”

Sanctions also rely on defenders being able to accurately identify who is extorting them. This can be difficult, since gang names, preferred malware strains, and techniques used to get network access are all subject to frequent change.

In Evil Corp hackers evolve ransomware tactics to dodge US sanctions, security research firm Mandiant notes that a ransomware-as-a-service model is especially useful to hackers trying to dodge sanctions, allowing them to change tools frequently and “carry out their operations in anonymity.”

This article—Evil Corp switches to LockBit ransomware to evade sanctions—has a complimentary take: “Another theory is that a switch to others' malicious tools may provide Evil Corp with enough free resources to develop a new ransomware strain from scratch, making it harder for security researchers to link to the gang's previous operations.”

None of this, however, is to say that sanctions aren’t an effective tool. The desire to avoid sanctions may be behind the supposed demise of the notorious Conti gang. The article Conti ransomware shuts down operation, rebrands into smaller units reports that Conti “officially shut down,” but researchers think that all that has happened is that Conti members have dispersed into several smaller groups under new names, making their activities harder to trace.

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram