Pay at Your Own Risk: OFAC Issues Advisory on Potential Sanctions Risks Stemming from Ransomware Payments

On Thursday, October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory highlighting potential sanctions risks associated with ransomware payments related to malicious cyber-enabled activities (the “Advisory”).[1] The Advisory appears to be directed at both companies victimized by ransomware and firms that facilitate payments to ransomware extortionists (including financial institutions, cyber insurers, and companies involved in digital forensics and incident response). The Advisory cautions victims of ransomware attacks and ransomware-related services providers to consider the risk of civil sanctions liability when deciding on a course of action.

Key Takeaways

• This is not a hypothetical risk. The Advisory highlights OFAC’s existing designations under its cyber-related sanctions program of malicious cyber actors who facilitate ransomware transactions, including the North Korean Lazarus Group; the Iranian actors responsible for the SamSam ransomware attacks; the Russian developer of Cryptolocker; and the Russian cybercriminal syndicate Evil Corp.
• Your compliance program matters. The Advisory provides information on the factors OFAC will consider when determining an appropriate enforcement response to an apparent sanctions violation, including the existence, nature, and adequacy of a sanctions compliance program. The advisory also encourages financial institutions and other companies that engage with victims of ransomware attacks to report such attacks to and fully cooperate with law enforcement, as these will be considered significant mitigating factors.
• Cooperate with law enforcement. The Advisory notes that OFAC will consider as a significant mitigating factor in any potential sanctions enforcement matter a company’s “self-initiated, timely, and complete” report of a ransomware attack to law enforcement, seeking to encourage companies to fully and timely cooperate with law enforcement both during and after a ransomware attack.
• Presumption of denial of license applications. Based on OFAC’s position that ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.

Advisory

The primary takeaway from OFAC’s Advisory is that ransomware payments to sanctioned parties or jurisdictions, where the transaction involves a U.S. jurisdictional nexus, carry OFAC sanctions risk and expose both the paying victim, as well as third parties that facilitate the payment, to civil liability. Notably, the Advisory emphasizes the strict liability nature of the sanctions regulations.

The Advisory outlines OFAC’s policy view that “[f]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims” and that payments to sanctioned persons “embolden cyber actors to engage in future attacks” and “could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” In keeping with that view, the Advisory notes OFAC’s policy that applications for licenses for cyberattack-related ransomware payments to sanctioned actors will be reviewed by OFAC on a case-by-case basis, but will start with a presumption of denial.

OFAC’s Advisory comes at a time when financial losses associated with ransomware attacks are trending upward. According to the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Reports, reported ransomware cases rose 37 percent and associated losses rose 147 percent from 2018 to 2019. That trend continued into 2020, according to OFAC’s Advisory, which noted that “[d]emand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business.” Given the current work-from-home environment ushered in by the pandemic, ransomware attacks are likely to continue to become more prevalent.

Conclusion

Sanctions practitioners have often speculated how OFAC would handle such situations, with some fearing that OFAC would take a hard line to discourage ransomware payments. The Advisory confirms these fears with respect to OFAC’s licensing and enforcement posture. In particular, although OFAC no doubt recognizes the incredibly difficult circumstances facing ransomware victims, the Advisory makes clear that exigent circumstances do not relieve victims of their sanctions compliance obligations, as OFAC sanctions are strict liability. Ransomware victims are left in an unenviable situation – suffer dire business consequences as a result of the attack, or make a ransomware payment under potential OFAC sanctions exposure. Although the Advisory seems to condemn any ransom payments, it will be telling to see whether OFAC brings any enforcement actions against victims of such attacks, which face the very real prospect of going out of business if they do not pay.  More likely, as long as the victim follows the guidance, OFAC will consider enforcement actions against payment facilitators and related services providers who may be involved in dozens if not hundreds of payments to the same group.

Raymond Rif, a Legislative and Policy Specialist in the Morrison & Foerster LLP National Security practice, contributed to this alert.

[1] In a separate, but related advisory also released on October 1, 2020, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) alerted companies of the potential money laundering risks associated with processing ransomware payments, and encouraged financial institutions to file a suspicious activity report (“SAR”) with “all pertinent available information on the event and associated with the suspicious activity, including cyber-related information and technical indicators.”