Close this search box.

How Ransomware Gangs Avoid Sanctions

The author

The U.S. has a way to cut off funding to some ransomware gangs, and it works—but it’s seldom used. If the U.S. has economic sanctions against a nation (Iran, Russia, and North Korea, for example) then it can be illegal for American companies to deal with organizations from that nation. This can include paying ransom for ransomware. This cuts into criminals’ revenues, and they take notice.

So why isn’t this a more widely-used practice? This question is explored in Why it’s hard to sanction ransomware groups. TL;DR? It’s usually a problem of evidence.

The article explains that “Only a small handful of … alleged ransomware criminals and groups attacking US victims have been named on sanctions lists over the years by the Treasury Department’s Office of Foreign Assets Control” (OFAC). OFAC typically uses evidence from criminal indictments, “…but such law enforcement actions can take years.”

Sanctions also rely on defenders being able to accurately identify who is extorting them. This can be difficult, since gang names, preferred malware strains, and techniques used to get network access are all subject to frequent change.

In Evil Corp hackers evolve ransomware tactics to dodge US sanctions, security research firm Mandiant notes that a ransomware-as-a-service model is especially useful to hackers trying to dodge sanctions, allowing them to change tools frequently and “carry out their operations in anonymity.”

This article—Evil Corp switches to LockBit ransomware to evade sanctions—has a complimentary take: “Another theory is that a switch to others’ malicious tools may provide Evil Corp with enough free resources to develop a new ransomware strain from scratch, making it harder for security researchers to link to the gang’s previous operations.”

None of this, however, is to say that sanctions aren’t an effective tool. The desire to avoid sanctions may be behind the supposed demise of the notorious Conti gang. The article Conti ransomware shuts down operation, rebrands into smaller units reports that Conti “officially shut down,” but researchers think that all that has happened is that Conti members have dispersed into several smaller groups under new names, making their activities harder to trace.

Sign Up For Our Newsletter

Don’t worry, we hate spam too!

Get The Latest On Ransomware Right In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

JUST RELEASED: The 2024 State of Ransomware Survey is in.


Share via
Copy link
Powered by Social Snap