OFAC’s Updated Advisory on Ransomware Payments

What Happened

On September 21, 2021, the US Treasury Department's Office of Foreign Assets Control ("OFAC") issued an "Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments" (the "Updated Advisory") to companies that are either the victims of ransomware attacks or who provide services to those victims. The Updated Advisory warns companies of the ongoing sanctions risks for making or facilitating ransomware payments. In a related action, OFAC also designated SUEX OTC, S.R.O ("SUEX"), a virtual currency exchange, as a blocked person subject to sanctions for facilitating financial transactions for sanctioned ransomware threat actors.

The Bottom Line

OFAC's Updated Advisory and associated announcement and sanctions actions signal the US government's continued focus on:

• discouraging ransomware victims from making ransom payments (to any threat actors, but particularly so if there is a sanctions nexus to the transaction);
• discouraging financial institutions and other involved parties (such as negotiators or insurance companies) from facilitating ransom payments;
• encouraging companies to implement risk-based compliance programs to mitigate exposure to threat actors and to prevent potential sanctions violations; and
• encouraging ransomware victims to report cyberattacks to law enforcement as soon as possible (and then fully cooperate with any resulting investigation).

The Full Story

Ransomware attacks are carried out by hackers who engage in malicious cyber activity such as installing malware to encrypt a victim's sensitive data, or stealing and threatening to publish the victim's data. In conjunction with the attack, the hackers demand a ransom payment in cryptocurrency in exchange for a decryption key that can be used to restore the data, or a promise not to publish or sell the data. Ransomware attacks have increased during the COVID-19 pandemic, which has fueled a corresponding increase in the involvement of companies that facilitate ransomware payments on behalf of victims. The Updated Advisory reports that, "there was a nearly 21 percent increase in reported ransomware cases and a 225 percent increase in associated losses from 2019 to 2020."

OFAC Designations of Threat Actors

OFAC has already designated numerous threat actors under its cyber-related sanctions program and other sanctions programs. In that vein, OFAC announced that it was blacklisting SUEX, a Russia-based virtual currency exchange that allows customers to convert digital currency into cash or other forms of assets, for its role in facilitating transactions involving illicit proceeds from criminals using ransomware. According to OFAC's press release, "over 40% of SUEX's known transaction history is associated with illicit actors," and SUEX processed transactions for at least eight different ransomware variants. The press release notes that, "[v]irtual currency exchanges such as SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity," and that OFAC intends to continue using its powers to disrupt financial platforms tied to ransomware and cyberattacks.

Discouraging Payment of Ransomware Demands

The Updated Advisory reiterated OFAC's position that payment of ransom demands not only encourages threat actors to continue attacking companies, but increases the risk that a victim company (or its intermediary) will violate OFAC sanctions when making or facilitating a payment. Under US sanctions programs, US persons are generally prohibited from engaging in any transactions with individuals or entities who are subject to sanctions (i.e., blocked persons). Violations are based on strict liability, meaning that a US person may be held liable even if such person did not know that it was engaging in a prohibited transaction with a blocked person. Accordingly, ransomware payments made to any individual or entity who has been designated as a blocked person will subject the victim or its agent to potential liability for violating sanctions.

To that end, OFAC reinforced its position that it will bring enforcement actions against third-party consultants or intermediaries such as financial institutions, incident response consultants, and cyber insurance companies that negotiate or facilitate payments to sanctioned threat actors on behalf of corporate victims. OFAC also signaled that any such companies facilitating payments on behalf of ransomware victims should closely consider whether they have obligations to report the transaction under FinCEN regulations.

Mitigating Factors

Under OFAC's Enforcement Guidelines, OFAC will consider the following mitigating factors when determining an enforcement response to an apparent violation of US sanctions laws:

• the existence, nature, and adequacy of a ransomware victim's sanctions compliance program;
• whether the victim of a ransomware attack has followed the US Cybersecurity and Infrastructure Security Agency's suggestions for avoiding a cyberattack, include maintaining offline backups of data, developing incident response plans, and training employees about cybersecurity threats;
• whether the ransomware victim promptly and voluntarily turned over key information to authorities such as technical details of the attack and the amount of ransom demanded; and
• whether the ransomware victim demonstrated "full and ongoing cooperation" with law enforcement during and after an attack.

When a ransomware victim has taken the mitigating steps described above, OFAC is more likely to resolve apparent sanctions violations associated with any payment by employing a non-public response such as a No-Action Letter or Cautionary Letter rather than with a publicly announced penalty or other enforcement actions.

Hunton Andrews Kurth LLP will continue to closely monitor related announcements from OFAC or other law enforcement agencies that may impact our clients' operations. Please contact us if you have any questions.

Public link

Please use the above public link if you want to share this noodl on another website.