The US Department of Treasury’s Office of Foreign Asset Control (Ofac) has warned that ransom payments to hackers could violate its strict sanctions regulations and lead to financial and other penalties.
Its comments come after shipping-related companies appeared to be targeted by hackers, with cyber-attacks on French liner giant CMA CGM and the International Maritime Organization last week.
In both instances some IT functions were shut down for several days. It is not known if ransom demands were made following the attacks.
In an advisory, Ofac cited previous instances where cyber-attacks on companies and subsequent ransom demands had involved persons from countries that are subject to US sanctions, including Iran and North Korea.
Ofac said: “Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States.”
Penalties for ransom payments
It warned that the same penalties would apply to cyber-related ransom payments that are used in any other breaches of US sanctions.
On cyber-attacks Ofac said: “Ofac may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know, or have reason to know, it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by Ofac.”
Marine protection and indemnity mutual insurers are concerned about the development and potential financial penalties on their shipowner members.
Other major shipping lines have been targeted by cyber-attacks, including Maersk and Cosco, with the cost of such attacks running into hundreds of millions of US dollars.
Chris South, senior underwriter at P&I club the West of England, said: "Ransomware is an increasingly popular method of attacking shipping companies, and in many cases these assaults are coming from organisations which are subject to sanctions by the USA.
Strict liability applies
Ofac confirmed that facilitating payments to such attackers will be a 'strict liability' offence. This means that anyone who is subject to US jurisdiction can be financially and civilly liable even if they didn't know that they were breaching sanctions," he said.
Ofac said companies that fall victim to cyber-attacks and ransom demands should report the incident immediately.
“Ofac encourages victims and those involved with addressing ransomware attacks to contact Ofac immediately if they believe a request for a ransomware payment may involve a sanctions nexus,” Ofac added.
