OFAC Guidance on Ransomware Payments Highlights Sanctions Violations Risk
The Situation: In an October 1, 2020, Advisory, the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") warned that companies that make or facilitate ransomware payments to threat actors who are sanctioned persons or in comprehensively sanctioned jurisdictions risk violating OFAC regulations and related laws. Companies and individuals face civil monetary and administrative penalties imposed on a strict liability basis, and knowing violations can lead to criminal liability.
The Result: While the Advisory does not change existing law, it signals increased regulatory enforcement and an intent to put companies on notice of this risk.
Looking Ahead: Companies in all industries should assess their compliance programs and incident response plans to ensure they appropriately mitigate sanctions risks. When facing a ransom demand, taking reasonable steps to try to determine the identity of threat actors demanding ransoms and early engagement and cooperation with law enforcement may reduce sanctions risk.
Ransomware is malicious software that blocks access to computer systems or data, often through encryption, in an effort to extort payments from victims in return for restoring access to the affected systems and data. Ransomware attacks not only disrupt business operations, but increasingly are accompanied by threatened public disclosure of stolen data. These tactics escalate the pressure to pay ransoms. In response to the increase in the number and sophistication of ransomware attacks, as well as the potential national security threat posed by ransom payments to sanctioned parties, on October 1, 2020, OFAC issued an Advisory highlighting the sanctions risks faced by parties that make or facilitate ransom payments to malicious cyber actors. The Advisory emphasized the potential for civil penalties under the International Emergency Economic Powers Act ("IEEPA") and the Trading With the Enemy Act ("TWEA"). While the OFAC Advisory does not herald or discuss a change in the law, it suggests the possibility of more active regulatory enforcement—and the corresponding need for companies to mitigate risk. OFAC's concern is shared in many respects by other countries comprising the Group of Seven ("G7"), which issued a statement on October 13 regarding the proliferation of ransomware attacks and expressing a commitment to increased information sharing and coordination to combat this rising threat.
OFAC's Focus on National Security Concerns
Since 2016, OFAC has added high-profile entities, individuals, and cryptocurrency wallet addresses associated with ransomware variants, including those associated with Cryptolocker, SamSam, WannaCry, and Dridex malware, to its list of Specially Designated Nationals and Blocked Persons ("SDN List"). These designations are driven by OFAC's concern that ransom payments can help criminals and adversaries further their illicit aims and fund activities adverse to U.S. national security and foreign policy objectives. OFAC's Advisory emphasizes the broad reach of its regulations—which include civil monetary penalties of the greater of $305,292 per violation or twice the value of the transaction that forms the basis of the violation. The breadth of OFAC's regulations, coupled with its current focus on facilitating ransom payments, underscores the sanctions risk for victims and companies (including those assisting the victims) involved in incident response. To further emphasize its view regarding the threat posed by these payments, OFAC noted that it will review license applications involving ransomware payment demands on a case-by-case basis—with a presumption of denial.
The Implications of OFAC's Advisory for Companies
In the face of OFAC's concerns and potential liability, companies confronted with a ransomware attack face significant risk. In some situations, a company may know or suspect that a threat actor demanding a ransom has a sanctions nexus—a scenario presenting heightened risks. In many situations, however, a company may not know the malicious actor's identity. Indeed, a company may have no reasonable basis to believe that the threat actor is on the SDN List or have any nexus to sanctioned parties. However, because OFAC's regulations are enforced on a strict liability basis, a company could be held civilly liable even if a ransom payment is made unknowingly to a sanctioned person.
OFAC's Advisory highlights serious sanctions risks that may change the calculus companies use when assessing whether to pay a ransom demand. The Advisory sets forth several actions companies can take to reduce the risk of an enforcement action. OFAC suggests that companies implement risk-based compliance programs specifically focused on mitigating the risk that a ransom payment may involve sanctioned individuals or jurisdictions. The Advisory notes that this suggestion also applies to intermediaries engaged by victims to provide services that involve processing ransom payments, cyber insurance, and digital forensic and incident response services.
The Advisory also provides that OFAC will consider a company's self-initiated, full, and timely report of a ransomware attack to law enforcement, as well as continued cooperation both during and after the incident, to be significant mitigating factors when assessing an appropriate enforcement response in the event of an apparent violation.
Finally, OFAC encourages ransomware victims and companies involved in helping victims to "contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus." It also urges victims to contact the U.S. Department of the Treasury's Office of Cybersecurity and Critical Infrastructure Protection if the incident involves a United States financial institution or could cause a significant disruption involving a critical financial service.
Three Key Takeaways
- OFAC's October 1, 2020 Advisory suggests increased enforcement focus on those who make or facilitate ransom payments to actors who have a sanctions nexus.
- Companies should review and, if necessary, enhance their compliance programs and ransom policies to mitigate sanctions risks.
- Taking reasonable steps to determine the identity of threat actors demanding ransoms, and early engagement and cooperation with law enforcement, may reduce sanctions risks.
John Cheretis, an associate in the Washington Office, assisted with the preparation of this Alert.