Office of Foreign Assets Control: Making or Facilitating Ransomware Payments May Violate U.S. Sanctions

On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.¹

Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Increasingly, ransomware attacks not only lock data up but steal data from the victim and threaten to publish sensitive files belonging to victims. According to OFAC, ransomware attacks have been increasing over the last two years and are a special risk during the COVID-19 pandemic, with cybercriminals targeting not only large corporations but also small to medium enterprises, hospitals, schools, and local government agencies.²

OFAC’s advisory neither describes new penalties for ransomware payments nor expands existing law or provides new authority for imposing sanctions. Rather, in releasing its advisory in conjunction with a similar advisory from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), OFAC is sending a clear signal that making ransomware payments with a sanctions nexus threatens U.S. national security interests and that third-party service providers that facilitate ransomware payments on behalf of a victim must consider and ensure compliance with OFAC regulations. In particular, OFAC’s advisory does the following:

1. Reminds victims of ransomware attacks and victims’ financial institutions that they should be conducting sanctions-related due diligence on ransomware payees. Attackers and payees may be designated sanctioned parties under OFAC’s existing cyber-related sanctions authority.³ Victims that transact with a sanctioned party, or with a sanctioned-country person, to make a ransomware payment can be held strictly liable for their violation of U.S. sanctions law, even if — as may often be the case in ransomware attacks — they could not ascertain the true identity or location of their attacker and therefore did not know it was a sanctioned party. Since 2015, the U.S. government has repeatedly sanctioned cybercriminals for their actions. Notable sanctions designations include
   • December 2016: Evegeniy Mikhailovich Bogachev, creator of Cryptolocker
   • November 2018: two Iranian creators of SamSam ransomware
   • September 2019: the North Korea-sponsored Lazarus Group, creator of WannaCry 2.0
   • December 2019: Evil Corp and its leader Maksim Yakubets, creators of Dridex
2. Informs victims of ransomware and their financial institutions of OFAC’s license approval policy in situations where the victim determines that the payee/attacker is a designated party, which is a case-by-case review with a presumption of denial. OFAC takes the position that these payments “encourage future ransomware payments” and may “enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims” without guaranteeing the victim will actually “regain access to its stolen data.” These warnings align with the position long advocated by the FBI and others in the law enforcement community that while payments may sometimes be viewed as necessary, payment of ransoms encourages the illicit ransomware market and may even make the victim a target for a repeat attack.
3. Encourages financial institutions and other companies that engage with victims of ransomware (such as those involved in providing cyber insurance, digital forensics, and incident response) to implement risk-based sanctions compliance programs and to consider their obligations under FinCEN regulations.⁴ OFAC’s advisory notes that “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).” More specifically, OFAC noted that a company’s sanctions compliance program “should account for the risk that a ransomware payment may involve a [specially designated national] or blocked person, or a comprehensively embargoed jurisdiction.” If properly followed, an existing sanctions compliance program that requires screening before any financial transaction or shipment — and prohibits engagement with sanctioned parties or sanctioned-country persons without an OFAC license — should qualify for this mitigation credit. Nonetheless, organizations may recognize that an effective emergency response requires advance preparation and therefore may wish to raise internal awareness of the sanctions risks associated with ransomware attacks (e.g., that the organization might blindly transact with an attacker that is later determined to be a sanctioned party and thereby violate U.S. sanctions). These organizations may also wish to amend their sanctions compliance policies to indicate that potential ransomware payments require escalation to the trade compliance team.
4. Encourages victims to engage with law enforcement and OFAC before, and even after, making any ransom payment. Perhaps recognizing that those organizations that decide they have no choice but to pay a ransom may be discouraged from sharing leads regarding their attackers with the government if they fear an OFAC penalty, the advisory notes that OFAC is extending mitigation credit to cooperation with other government agencies. The advisory explains: “OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.” The key to receiving credit appears to be that the attacker is “later determined to have a sanctions nexus” — OFAC will not give mitigation credit to a knowing violation. To further incentivize engagement with law enforcement, OFAC advises that the U.S. government, through the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection, may be able to provide special ransomware assistance to U.S. financial institutions or firms that perform “critical financial services.”

¹ OFAC, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, Oct. 1, 2020, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.

² Citing the Federal Bureau of Investigation (FBI), OFAC reports that between 2018 and 2019, there was a 37% increase in reported ransomware cases with a 147% increase in ransomware-related financial losses. During the COVID-19 pandemic, U.S. businesses are especially reliant on their digital infrastructures to conduct business and therefore are perceived as more vulnerable to ransomware attacks.

³ See OFAC, Sanctions Related to Significant Malicious Cyber-Enabled Activities, https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information/sanctions-related-to-significant-malicious-cyber-enabled-activities.

⁴ See FinCEN, FIN-2020-A00X, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, Oct. 1, 2020, for a contemporaneously issued advisory on applicable anti-money-laundering obligations related to financial institutions in the ransomware context.