OFAC Warns of Sanctions Risks for Companies Facilitating Ransomware Payments
On October 1, 2020, the U.S. Treasury's Office of Foreign Assets Control (OFAC) issued a new advisory spotlighting sanctions risks for companies that facilitate ransomware payments, including financial institutions, cyber insurance firms, and digital forensics and incident response companies. The advisory warns that OFAC intends to impose sanctions, which could result in fines of up to $1 million, for ransomware payments to banned individuals and regions.
While it is typically impossible to identify the ultimate recipient of such payments to determine their status under sanctions, OFAC also provided guidance on mitigating actions that companies can consider taking in order to minimize future liability and risk. Companies that facilitate ransomware payments should analyze whether doing so exposes them to significant penalties, and ransomware victims who are considering making ransomware payments should also weigh this OFAC guidance.
OFAC's advisory comes in the wake of a sharp increase in malware activity in recent years, particularly during COVID-19, as companies have relied heavily on remote access and web-based resources to continue conducting business. As the rate of ransomware attacks continues to increase, OFAC has taken the stance that persons who comply with ransom demands, and companies that facilitate ransomware payments, are bolstering the rise of such incidents by "embolden[ing] cyber actors to engage in future attacks."
Specially Designated Nationals and Blocked Persons List
The advisory specifically applies to ransomware payments that might involve individuals on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List) or in a comprehensively embargoed country or region (e.g., Cuba, Crimea, Iran, North Korea, and Syria). However, the perpetrators of ransomware attacks are typically anonymous individuals whose only identifiers are often a digital currency wallet address (to which ransom payments are channeled), an untraceable email address, and the form of malware used. As such, companies will generally not be able to know for certain whether ransomware payments are directed to sanctioned recipients or regions.
Those who find themselves victim of a ransomware attack or seek to facilitate a ransomware payment should be aware that for payments to SDNs, OFAC may impose sanctions penalties on a strict liability basis, meaning that companies that initiate or facilitate such ransomware payments can be fined despite having no way of determining that the ransomware payment was sent to a sanctioned recipient.
Companies who facilitate ransomware payments should run what information they have on the attacker against OFAC's SDN list, which is periodically updated to contain digital currency addresses and identifying email accounts. Such searches should be conducted using the search engine's "fuzzy logic" tool, and due diligence should be exercised to attempt to eliminate near misses.
OFAC's Mitigating Factors for Enforcement
In the likely scenario that the search provides little additional guidance on whether a sanctions nexus exists with the relevant cyber attacker, the OFAC advisory notes certain mitigating factors that will be considered in determining enforcement outcomes should a sanctions violation arise. These include (i) the existence, nature, and adequacy of a company's sanctions compliance program, (ii) the company's self-initiated, timely and complete report of the ransomware attack to law enforcement, and (iii) the company's full and timely cooperation with law enforcement during and after a ransomware attack.
As a proactive measure, companies that facilitate ransomware payments should assess their sanctions compliance programs to determine how they can address the specific concerns raised by OFAC's advisory and highlighted in this bulletin. When ransomware attacks take place, both the company subject to ransomware and those that may assist in facilitating payments should try to determine first whether the payment involves an SDN or blocked individuals or regions and should consider making documented efforts to promptly coordinate and cooperate with law enforcement to further mitigate sanctions risk.