Last week, on September 21, 2021, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) added a foreign cryptocurrency exchange and a number of crypto addresses to its Specially Designated Nationals and Blocked Persons List (SDN list). OFAC also issued an updated advisory (following an October 2020 advisory) on potential sanctions risks for facilitating ransomware payments. The additions to the SDN list reflect the U.S. government’s growing impatience to constrain ransomware payments by victims and curtail incentives for ransomware operators. The updated advisory also takes a notably harder stance in describing the sanctions risks companies may face for making or facilitating a ransomware payment.
As a result of OFAC’s advisory and related governmental guidance, the expectations on companies to prevent ransomware attacks and conduct sanctions due diligence into ransomware payments are higher. Companies should expect OFAC to take into account not only a company’s sanctions compliance program but also its cybersecurity practices when OFAC considers sanctions enforcement, guidance, and licensing related to ransomware payments.
The advisory also reflects that the U.S. government writ large is looking increasingly unfavorably at ransomware payments. Companies may wish to take steps now to further safeguard themselves against falling prey to a cyber-attack and finding themselves in the uncomfortable position of needing to consider whether to accede to a ransom demand.
How has OFAC escalated the fight against ransomware?
Ransomware is a form of software (also sometimes called “malware”) used by malicious cyber actors that typically encrypts data or a computer system, thus blocking victims from accessing their files. In exchange for a ransom, the cyber actors typically claim that they will decrypt the files and restore the victims’ access to their data. OFAC’s updated advisory comes on the heels of an FBI report noting a 21% increase in ransomware cases and a 225% increase in associated losses from 2019 to 2020. Ransomware payments, the updated advisory notes, both “encourage and enrich malicious actors,” including those with a sanctions nexus, and “perpetuate and incentivize additional attacks.”
In response, OFAC has placed numerous cyber actors that use ransomware to extort payments on the SDN list. While OFAC has primarily designated specific ransomware actors and certain digital wallets, the updated advisory goes a step further by targeting those who facilitate ransomware payments. Specifically, the updated advisory references OFAC’s first designation of a currency exchange, SUEX OTC, S.R.O. (SUEX), “for its part in facilitating financial transactions for ransomware actors.” OFAC’s inclusion of SUEX—a virtual currency exchange used by ransomware perpetrators to launder ransom funds—on the SDN list underscores OFAC’s aim of disrupting the ransomware ecosystem. It also suggests that making or facilitating ransomware payments in response to attacks will become even more challenging as the list of prohibited counterparties and payment channels grows.
Additionally, in this new advisory, OFAC more explicitly than ever before cautions against making ransomware payments, something the U.S. government has previously left more ambiguous. The advisory states that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” In addition to emphasizing the importance of strengthening defensive measures to prevent ransomware attack, the advisory outlines steps that companies may take to minimize their risk of an unfavorable OFAC enforcement action for making a ransomware payment.
Considering a ransomware payment? Consider sanctions risks and ultimate effectiveness
Companies that choose to pay or facilitate ransomware payments run the risk of violating sanctions, and a person subject to U.S. jurisdiction runs the risk of being held strictly liable for making a ransomware payment to a sanctioned person—even if the payer did not expressly know or have reason to know that it was engaging in a prohibited transaction. Conducting sanctions screening prior to making any ransomware payment mitigates but may not fully eliminate that risk.
In addition to the sanctions risks, companies should also consider whether paying a ransom will yield the benefits they desire. As the ransomware ecosystem has expanded, companies must carefully consider whether criminal actors will follow through with their promises to provide effective decryption tools or refrain from posting stolen information online. Moreover, data increasingly indicates that companies that pay ransoms are more likely to find themselves subject to repeat attacks in the future.
What practical steps should companies take now?
There are several steps companies might want to consider taking to mitigate the risk of an OFAC enforcement action for making a ransomware payment.
First, OFAC’s Enforcement Guidelines state that it will consider the existence, nature, and adequacy of a risk-based sanctions compliance program in determining the appropriate action in response to an apparent violation of sanctions. An effective risk-based compliance program may include: (1) management commitment; (2) periodic risk assessments; (3) internal controls; (4) testing and auditing; and (5) training. The updated advisory sets OFAC’s expectation for companies to consider whether a ransomware payment may involve a person on the SDN list or a comprehensively sanctioned territory. Accordingly, an effective sanctions compliance program should be able to address sanctions risks in potential ransomware payments.
Second, the updated advisory encourages companies to reduce their risk of exposure by improving their cybersecurity practices, as recommended in the Cybersecurity and Infrastructure Security Agency’s (CISA) Ransomware Guide. These practices include (1) maintaining offline backups of data; (2) developing incident response plans; (3) instituting cybersecurity training; (4) regularly updating anti-malware software; and (5) employing recommended authentication protocols. OFAC’s updated advisory notes that it will consider such proactive steps to be a “significant mitigating factor in any OFAC enforcement response.” These steps also increase the likelihood that a company will be able, for example, to simply incur a delay while systems are brought back online rather than have to pay a ransom.
Third, the updated advisory strongly encourages companies to report ransomware attacks to appropriate law enforcement and/or regulatory authorities. The advisory now explicitly states that OFAC will consider an appropriate report to law enforcement or other relevant U.S. government agency, such as CISA or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), to be a voluntary self-disclosure. Consistent with OFAC’s Enforcement Guidelines, voluntary self-disclosure is a significant mitigating factor in any OFAC enforcement action and is “more likely to result in a non-public response (i.e., a No Action Letter or Cautionary Letter).”
Fourth, in a ransomware scenario, companies may also consider hiring a reputable ransomware negotiations firm that performs sanctions screening on potential payees and payment vehicles, and verifies those checks with the company.
Regulators have greater sanctions compliance and cybersecurity expectations of companies. OFAC is also increasingly targeting ransomware actors—both those who demand the payment and, as demonstrated by the SUEX designation, those who facilitate ransomware payments. Taking steps now may not only help a company safeguard against a debilitating ransomware attack, but also help mitigate against potential sanctions risks and even penalties.