The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” This advisory continues prior advisory comments strongly discouraging companies from making ransomware payments and suggests proactive steps for mitigating ransomware risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.
Significantly, the advisory also announced that in September 2021, OFAC sanctioned SUEX OTC SRO, a cryptocurrency exchange, for its part in facilitating financial transactions for ransomware actors. Though OFAC has sanctioned numerous perpetrators of ransomware attacks in recent years, this is the first time it has publicly sanctioned a company for providing support to ransomware actors—thus confirming not only OFAC’s intent to apply sanctions to ransomware situations, but also the application of the facilitation concept to these activities. According to the advisory, OFAC will continue to impose sanctions on those who provide financial, material, or technological support for ransomware activities. This brings the ransomware approach squarely within more traditional OFAC enforcement guide rails.
Ransomware is malicious software code that blocks access to computer systems or data, frequently by encrypting files and data to extort ransom payments from victimized businesses in exchange for restoring access to such systems and data. Typically, ransomware actors offer a decryption key that can be used to unlock the infected files or systems. As part of a newer trend in ransomware attacks, in addition to blocking access to systems or data, some ransomware actors steal information through exfiltration and threaten to publicly distribute sensitive or proprietary data obtained from the business’s computer systems if ransom payments are not received.
Ransomware attacks are increasing in their severity and sophistication, with governmental entities and financial, educational, and healthcare institutions being significant targets. OFAC’s advisory states that between 2019 and 2020, the number of ransomware incidents reported to the FBI increased by 21%, and losses associated with such incidents increased by 225%. Ransomware attacks have increased during 2021. According to the advisory, ransomware actors often target businesses believed to have fewer resources to invest in cyber protection in the hopes that they will be more likely to make a quick ransom payment.
In OFAC’s strongest statement yet on the subject, the updated advisory continues to discourage payments to ransomware actors with a sanctions nexus, reaffirming that such payments may violate OFAC regulations. OFAC has warned on numerous occasions that violations of OFAC regulations for the purpose of making ransomware payments may result in civil penalties based on strict liability, meaning that a business may be held liable even if it was unaware it was engaging in a transaction that was prohibited by sanctions laws or regulations overseen by OFAC. As summarized in the updated advisory, the sanctions nexus may involve payments or transactions:
… directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under [International Emergency Economic Powers Act (IEEPA)], including a transaction by a non-US person that causes a US person to violate any IEEPA-based sanctions prohibitions, is also prohibited. US persons, wherever located, are also generally prohibited from facilitating actions of non-US persons that could not be directly performed by US persons due to US sanctions regulations.
Under a strict liability standard, OFAC sanctions may “range from nonpublic responses, including issuing a no-action letter or a cautionary letter, to public responses, such as civil monetary penalties.”
The updated advisory identifies factors to mitigate sanctions risk, emphasizing OFAC’s position that companies should focus on strengthening defensive measures to prevent and protect against such demands under a “risk-based compliance program to mitigate exposure to sanctions-related violations.”
OFAC encourages businesses to reduce the risk of cyber extortion by improving cybersecurity practices, noting that the following practices, among others, may be considered mitigating factors in any OFAC enforcement response:
The advisory references the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide as a source of cybersecurity practices that may be considered mitigating factors.
OFAC strongly urges victims of ransomware attacks to report to and cooperate fully with appropriate US government authorities, including CISA, the FBI, and the US Secret Service. Where the attackers have previously been sanctioned by OFAC or otherwise have a sanctions nexus, OFAC encourages victims to additionally notify OFAC and the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection. OFAC will consider a company’s “self-initiated and complete report of a ransomware attack to law enforcement”—including self-reporting any payments made to threat actors—to be a significant mitigating factor in any enforcement response. Thus, OFAC is signaling that reporting these attacks to OFAC, and not just the law enforcement functions, can act as an important step in avoiding sanctions liability. The FBI and OFAC coordinate closely on ransomware issues, and OFAC is often aware of the events through internal government communications. OFAC’s advisory signals that it wants parties to consider more proactive reporting of these events to OFAC as well.
In light of the rise of ransomware attacks in recent years and OFAC’s growing focus on ransomware activities with a sanctions nexus, it is more important than ever that companies take steps to improve cybersecurity practices and protection. Companies should assess the extent that they have compliance programs in place that may mitigate ransomware attacks and sanctions risk.
As noted in the advisory, such steps may include maintaining offline backups of data, developing or updating incident response plans, conducting cybersecurity trainings, regularly updating antivirus and anti-malware software, and employing authentication protocols. Additionally, companies that have been targeted by ransomware should seek legal advice on the range of issues associated with the attack, including the difficult legal questions around determining any regulatory or notification obligations, whether and when to contact law enforcement, and the consequences of considering paying any ransom demand.
Morgan Lewis has a global team of counselors that regularly assist clients in the prevention of and aftermath of ransomware and other cyberattacks. If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: