The decision to pay millions to a cyber criminal has never been easy, but it is now even more complex. The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory on September 21, 2021, on the potential sanctions risks to making or facilitating ransomware payments, and cyber victims paying to restore systems and recover data may be in the crosshairs of the U.S. government as it attempts to combat the steadily growing threat of ransomware attacks.
Although it notes that “the U.S. government strongly disfavors the payment of cyber ransom or extortion demands,” the OFAC guidance stops short of prohibiting such payments. Instead, building on the initial October 2020 advisory, it hits the following:
- The ransomware threat is significant and growing.
- Ransom payments to sanctioned organizations or individuals (including those located in comprehensively sanctioned countries/territories) are unlawful and carry significant legal exposure.
- Organizations are expected to take specific steps to reduce their potential sanctions exposure, which requires planning, resources, and other cyber investments.
Meanwhile, OFAC also simultaneously announced that, for the first time, it sanctioned a cryptocurrency exchange (SUEX OTC, also known as Successful Exchange) based on its ties to ransom payments. SUEX has been designated as a Specially Designated National (SDN), imposing asset freezing measures on property subject to U.S. jurisdiction and prohibiting virtually all transactions with any U.S. nexus. Its SDN designation also creates possible secondary sanctions exposure for those who provide “material support” to SUEX after its designation even if the activity has no U.S. nexus.
Companies and institutions must comply with the full range of potential sanctions, anti-money laundering, export control, and other regulatory requirements in the case of cybercrime. We expect the Government to continue to issue and expand guidance in these areas and be vigilant in enforcement and additional designations.
The U.S. government is recognizing what ransomware victims have long known: ransomware is pervasive and debilitating. The advisory first reflects on the massive uptick in the number, size, and sophistication of ransomware attacks, and the efforts by OFAC to sanction attackers behind such activity. Ransomware attacks have been carried out against private and government entities of various sizes and across sectors, including numerous organizations considered by the U.S. government to constitute critical infrastructure. The advisory states that because ransomware payments may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims, the “U.S. government strongly discourages the payment of cyber ransom or extortion demands.” Nonetheless, the U.S. government has in other contexts acknowledged that many organizations ultimately decide to pay ransoms because, they determine, doing so is the right business decision.
The OFAC advisory is one piece of an increasing and broader effort by the U.S. government to combat the ransomware threat. In recent months, Congress has held multiple hearings on cybersecurity and ransomware. At a hearing occurring the same day OFAC’s new advisory was released, for example, FBI Director Christopher Wray described the situation as “not sustainable” and “not acceptable,” noting that the FBI had launched a new cyber strategy last year to ramp up its efforts to disrupt and defend against malicious activity, including via public-private partnerships. Secretary of the Department of Homeland Security (DHS) Alejandro Mayorkas testified that DHS (and in particular CISA, the Cybersecurity and Infrastructure Security Agency) have significantly increased their cybersecurity efforts over the past year. And earlier this month, the National Institute of Standards and Technology (NIST) also initiated a comment period on its new draft Cybersecurity Framework Profile for Ransomware Risk Management.
Ransomed and then fined
The legal landscape around making a ransom payment remains complicated and uncertain. The advisory warns that victim organizations, along with organizations that facilitate ransom payments, may be subject to enforcement actions if the ransom recipient turns out to be sanctioned. Without addressing the practical difficulty of identifying to whom ransomware payments are actually made when identities are concealed and cryptocurrency wallets remain near anonymous, the guidance reiterates that U.S. persons are prohibited from dealing with the sanctioned entities found on OFAC’s Specially Designated Nationals and Blocked Persons List as well as all residents of comprehensively sanctioned territories. In addition to entities on the SDN list, transactions with non-listed entities that are, directly or indirectly, 50 percent or greater owned by one or more SDNs are prohibited. Sanctions are enforced under a strict liability regime, meaning that a victim organization or an organization that facilitates a ransom payment can be held civilly liable for sanctions violations even if they did not know, nor could have reasonably known, that the recipient of the payment was sanctioned.
The Sanctions and other risks
Not all ransomware payments carry the same sanctions risk. Following OFAC’s initial October 2020 guidance, ransomware victims generally have taken a number of measures to avoid making payments to SDNs. The updated advisory now offers expanded information on mitigating factors that may inform OFAC’s enforcement response to future ransom payments by victim organizations. It may help shape the standard of care for ransomware response generally:
- Law enforcement cooperation. As OFAC’s previous advisory noted, voluntary cooperation with law enforcement remains a key factor. The updated advisory specifically recommends that organizations affected by ransomware contact law enforcement as soon as possible and cooperate on an ongoing basis, providing “all relevant information such as technical details, ransom payment demand, and ransom payment instructions.” Later, the guidance stresses that “OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible.” The advisory also suggests reporting the incident to the Department of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), as well as OFAC if a sanctioned entity may be involved. This echoes previous statements from the law enforcement community.
- Sanctions compliance program. For financial institutions and other companies involved in facilitating ransomware payments or otherwise engaging with victims of ransomware attacks, including insurance companies and forensic/incident response vendors, the advisory recommends a risk-based sanctions compliance program. According to the advisory, the sanctions compliance program should specifically account for the risk that a ransomware payment may involve an SDN or blocked person or a comprehensively embargoed jurisdiction. It also noted that some persons and entities involved in facilitating ransom payments on behalf of victims should assess whether they have regulatory obligations pursuant to regulations issued by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which include anti-money laundering obligations for financial institutions.
- Cybersecurity measures. The updated advisory also suggests that an organization’s adoption of defensive or resilience measures may be a mitigating factor. OFAC recommends adopting and improving cybersecurity practices, such as those highlighted in CISA guidance—including the recently launched StopRansomware.gov website, a central hub for consolidating ransomware resources. Suggested steps include maintaining offline backups of data, developing and testing incident response plans, instituting cybersecurity training, regularly updating anti-malware software, and employing authentication protocols, among others.
The updated advisory states that, if an affected party took the mitigating steps outlined above, OFAC may go as far as resolving apparent violations with a non-public response, such as a No Action Letter or a Cautionary Letter, although the outcome will depend on the specific facts and circumstances.
The Treasury Department’s updated advisory and sanctioning of a cryptocurrency exchange add complexity to the existing process for evaluating whether to pay a ransom and suggest enhanced enforcement of potential sanctions and anti-money laundering compliance violations, particularly against financial institutions and other organizations that facilitate ransom payments. In light of this guidance – and well in advance of any possible cybersecurity incident – organizations may want to consider a number of initiatives, including:
- Reviewing existing cybersecurity incident response plans to confirm that the compliance function evaluates the possibility of a sanctions nexus.
- Reviewing the organization’s existing protocols on law enforcement engagement before, during, and after an incident.
- Identifying potential limitations in the organization’s cybersecurity insurance policy, such as the required use of pre-selected external advisers.
- For facilitators of ransomware payments, conducting a thorough legal analysis of whether they may be considered money transmitters (and thus subject to BSA rules) in certain circumstances.
- Evaluating the adequacy of the organization’s policy on filing Suspicious Activity Reports (SARs) in connection with all types of cybersecurity incidents. (Note that SAR filing carries with it various follow-on requirements, including confidentiality restrictions, record retention requirements, and similar obligations.)