In separate advisories, FinCEN and OFAC warned financial institutions of the growing prevalence of ransomware attacks and the legal risks of making ransomware payments.
FinCEN highlighted the role of financial intermediaries in facilitating ransomware payments, and reminded financial institutions that ransomware payments could trigger suspicious activity report filing requirements. OFAC emphasized the sanctions risks that companies face when they take part in ransomware payments to cyber actors who may be sanctioned or have a sanctions "nexus."
FinCEN identified indicators of ransomware-related illicit activity in order to assist financial institutions in "detecting, preventing, and reporting suspicious transactions associated with ransomware attacks". Indicators include:
- the appearance of a customer's crypto currency address on open sources linked to ransomware strains;
- receipt of funds from a customer company and the subsequent transmission of equivalent amounts to a crypto exchange;
- customers with limited knowledge of crypto currency who purchase the currency in a large amount or through rush requests;
- digital forensics and incident response or cyber insurance companies that send crypto transfers; and
- unidentified customers to a crypto exchanger who use liquidity provided by the exchange to engage in large numbers of offsetting transactions.
OFAC highlighted designations of numerous malicious cyber actors, and emphasized that facilitating a ransomware payment to a sanctioned party on behalf of a victim may violate OFAC sanctions regulations. OFAC stated that it would review license applications related to ransomware payments on a case-by-case basis with a presumption of denial.
OFAC also encouraged firms to implement a risk-based compliance program to mitigate the possibility of sanctions violations - including violations related to ransomware payments. As explained in OFAC's Economic Sanctions Enforcement Guidelines, the maintenance of an effective compliance program is a factor the agency may consider when determining its enforcement response, including the amount of civil monetary penalty. Similarly, OFAC advised that it would consider a company's reporting of a ransomware attack to law enforcement, as well as subsequent cooperation with a law enforcement investigation, as significant mitigating factors when determining the appropriate enforcement response.
The upshot of these advisories is that firms targeted by a significant ransomware attack should not expect an OFAC license to pay off their data’s captors. Rather, such firms can expect OFAC to take a hard look at any ransom payments to sanctioned parties - and even non-sanctioned parties with a sufficient sanctions “nexus.” At most, victim firms may hope for a “pass” from OFAC if they timely, voluntarily and completely report their injury to law enforcement, and fully cooperate with the ensuing investigation. While national security and foreign policy considerations underlie this regulatory approach, victim firms - already finding themselves in a very hard place - will undoubtedly feel that the government has rolled a large rock in their direction.