The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued updated guidance to highlight the sanctions risks associated with ransomware payments. During the COVID-19 pandemic, cyber-attacks demanding ransomware payments increased significantly. OFAC issued guidance on facilitating these types of ransomware payments last year in October 2020 and has reissued this updated advisory because of the increased frequency in this type of attack. To clarify, the United States government strongly discourages private companies and citizens from paying ransom or extortion demands. It also warned that companies that facilitate these types of ransomware payments could be at risk of violating OFAC regulations.
Ransomware is a form of malicious software that blocks access to a computer system and/or data and extorting a ransom payment from the victims in exchange to releasing access back to them. According to the Federal Bureau of Investigation (FBI), there was almost a 21 percent increase in reported ransomware cases and a 225 percent increase in associated losses from 2019 and 2020. These attacks are targeted against all sorts of entities of all sizes and in both the private and public sectors. Sometimes when these attacks take place, the perpetrator, both the company and the developers of the ransomware are placed on OFAC’s cyber-related sanctions and other sanctions programs. In this updated advisory, OFAC states that it “has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”
When OFAC designates persons or entities on its sanctions lists, U.S. persons are generally prohibited from engaging, either directly or indirectly, in transactions with these persons or entities. This is also considered strict liability and OFAC may hold people liable even if they did not know or have reason to know that he/she was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC. This is even more reason that banks should be aware of this guidance from OFAC and to ensure that the bank conduct OFAC checks whenever there is exposure to risk that the entities may be on a sanctions list. OFAC sanctions extend beyond the reach of those facilitating ransom payments but to those who are paying the ransom amounts as well. If, however, the bank does pay ransom amounts or facilitates payments to those on a sanctions list, OFAC does take into consideration voluntary self-disclosure.
Self-disclosure has always been important for OFAC violations and this applies consistently to cyber-attacks as well. When determining liability, OFAC considers a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack. This includes providing all relevant information such technical details, ransom payment demands, and ransom payment instructions. Self-disclosing and full cooperation are seen as significant mitigating factors to liability and OFAC is more likely to resolve violations, including via a no action letter or a cautionary letter, when the affected party takes the mitigating steps to report and cooperate with legal authorities.