On September 21, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced several actions intended to “advance the United States government’s broader counter-ransomware strategy,” including an update to OFAC’s October 2020 advisory on ransomware payments and the first Specially Designated National (“SDN”) designation of a virtual currency exchange. OFAC’s action is part of what it described as a “whole of government” approach to combatting the threat posed by ransomware and, indeed, its updated advisory represents a unique effort to leverage OFAC’s potential enforcement authority to encourage ransomware victims to report ransomware incidents to, and cooperate with, law enforcement.

Updated OFAC Ransom Payment Guidance

As we’ve previously discussed, last fall OFAC issued an advisory on the potential sanctions risks for facilitating ransomware payments. The advisory reiterated the legal prohibitions on US persons with respect to dealings with sanctioned entities or individuals, emphasized the strict liability character of the sanctions regime, and noted that ransomware payments run the risk of violating sanctions if the recipient is a sanctioned person or in a jurisdiction subject to comprehensive sanctions. The advisory encouraged cyber insurance providers, cybersecurity incident response firms, financial institutions and all companies “to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” And it noted that the existence of such a compliance program may be a mitigating factor in the event of a sanctions violation. Notably, the advisory also stated that OFAC would also consider “a company’s full and timely cooperation with law enforcement” (i.e., not just cooperation with OFAC) to be a significant mitigating factor when evaluating an enforcement outcome of a possible sanctions violation.

The updated guidance doubles down on that last point and goes further. First, the updated guidance, on two separate occasions, “strongly discourages all private companies and citizens from paying ransom or extortion demands.” Instead of paying a ransom, it “recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” In this regard, the updated guidance expressly refers to the cybersecurity practices highlighted in the Cybersecurity and Infrastructure Security Agency’s (“CISA”) September 2020 Ransomware Guide.

Second, the updated guidance emphasizes the fact that taking meaningful steps to reduce the risk of extortion by a sanctioned actor, such as by implementing CISA-recommended practices, “will be considered a significant mitigating factor in any OFAC enforcement response” to a possible sanctions violation. Specific steps highlighted by OFAC include “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols.” This statement is consistent with OFAC’s oft-stated view, as expressed in its Enforcement Guidelines, that the existence of a risk-based sanctions compliance program can be a mitigating factor. OFAC’s affirmative statement that implementing risk-reducing steps “will be considered” a “significant” mitigating factor, however, is far stronger language than the agency typically uses.

Third, and perhaps most surprisingly, the updated guidance states that, for ransomware payments that may have a sanctions nexus, OFAC will consider whether an entity has reported the ransomware attack to the appropriate government agencies and its ongoing cooperation with law enforcement to also be “significant mitigating factor[s]” for purposes of determining OFAC’s enforcement response. OFAC’s Enforcement Guidelines do provide for mitigation both for self-reporting to OFAC and for cooperation with OFAC, but they do not provide the same for reporting to, and cooperation with, other government agencies. Indeed, the Enforcement Guidelines expressly define a voluntary self-disclosure as notification “to OFAC” of an apparent sanctions violation and state that notification of an apparent violation to another government agency may be considered a voluntary disclosure by OFAC, based on a case-by-case assessment. The updated guidance seems to do away with that case-by-case standard, at least in the context of ransomware payments involving sanctioned parties, providing instead that “OFAC will consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response.” (Emphasis added.) (Notably, OFAC did not indicate that filing a Suspicious Activity Report (“SAR”) with the Financial Crimes Enforcement Network (“FinCEN”) would similarly be considered a voluntary self-disclosure.) Clearly, OFAC is seeking to use its leverage to encourage ransomware victims to promptly inform the government of any ransomware attacks (whether they have a sanctions nexus or not, as that is often not known at the time of the attack). Similarly, the updated guidance reiterates that “a company’s full and complete cooperation with law enforcement” will be considered a significant mitigating factor (as did the original guidance) and goes on to provide examples of such cooperation: “e.g., providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible.”

While ransomware attacks may have a sanctions nexus, that is not universally the case. The updated OFAC guidance can be seen as part of an inter-agency push to encourage companies to take steps to protect against ransomware attacks, report such attacks to the government and cooperate with law enforcement, whether such attacks have a sanctions nexus or not.

First Designation of a Virtual Currency Exchange

In conjunction with issuing its updated advisory, OFAC also designated a virtual currency exchange for the first time, pursuant to Executive Order 13694, which provides a mechanism to target entities engaged in “significant malicious cyber-enabled activities.” OFAC designated SUEX OTC, S.R.O. (“SUEX”), a virtual currency exchange based in Russia and the Czech Republic, referencing multiple associated digital currency addresses. OFAC cited the exchange for “its part in facilitating financial transactions for ransomware actors,” including “illicit proceeds from at least eight ransomware variants,” and noted that analysis of SUEX’s transaction history suggested that over 40 percent of its transactions involved illicit actors. Virtual currency exchanges, which facilitate the exchange of virtual currencies for fiat currency, are essential to the ransomware ecosystem and necessary to make such cybercrime profitable. OFAC committed to ongoing efforts to “disrupt and hold accountable these entities to reduce the incentive for cybercriminals to continue to conduct these attacks.” The designation ups the ante for virtual currency exchanges in terms of the compliance measures expected of them and the risks that they face.

Continued Focus Likely

These actions are part of a broad and ongoing strategy the US government is pursuing, in conjunction with international partners, to counter ransomware attacks. Treasury noted that FinCEN continues to engage with stakeholders and collect information relating to ransomware threats and payments. Ransomware was also a particular focus of the G7 Cyber Expert Group, which met as recently as this month to discuss the topic. Companies should continue to track regulatory developments related to ransomware at the national and international levels and take appropriate actions to prevent and protect against ransomware attacks.