New OFAC guidance for ransomware payments

Lap top computer

Data Protection, Privacy and Security Alert

By:

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to companies providing services to victims of ransomware attacks, informing them of the potential “sanctions risks” for facilitating ransomware payments.

What is a ransomware attack?

A ransomware attack is a type of malware (ie, malicious software) that threatens to block access to a victim’s data and/or systems – most often using encryption technology – or publicly disclose the victim’s data unless a ransom payment is made. Typically, payment is requested by the threat actors through digital currency in exchange for a decryption key which is then used by the victim to restore access to their data and/or systems. 

Malicious cyber actors

The advisory identifies multiple malicious cyber actors falling under the scope of the OFAC’s cyber-related sanctions program, including Cryptolocker, SamSam, WannaCry 2.0 and Dridex.

Guidance on facilitating ransomware payments and compliance with OFAC regulations

The advisory warns against payments from US persons with individuals or entities on the Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons and those covered by comprehensive country or region embargoes. Additionally, the advisory states that a violation by a non-US person which causes a US person to violate any sanctions, or US persons facilitating actions of non-US persons in an effort to avoid US sanctions regulations, are also prohibited.

Importantly, the advisory states that OFAC may impose civil penalties based on strict liability. OFAC’s Enforcement Guidelines provide the factors that OFAC considers when determining an appropriate response to an apparent violation. Under the Enforcement Guidelines, in the event of an apparent violation of US sanctions law, the existence, nature and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining enforcement.

OFAC encourages companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. The guidance applies not only to victims but also to companies that engage with victims of ransomware attacks, such as cyber insurance companies, digital forensics and incident response companies, and financial services companies that process ransom payments. OFAC will also consider a company’s self-initiated, timely and complete report of a ransomware attack to, and cooperation with, law enforcement to be a significant mitigating factor in determining enforcement if there is later determined to be a sanctions nexus.

Please click here to view the full advisory.

For further information, please contact:

Ron Plesco

Andy Serwin

Stacy Shelhorse