U.S. May Impose Sanctions for Making or Facilitating Ransomware Payments

The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory warning against making ransomware payments related to cyberattacks. The OFAC warning, issued on October 1, 2020, notes that demands for ransomware payments has increased during the COVID-19 pandemic, and makes clear that such payments are a threat to national security.

The OFAC warning is not limited to victims of the attack, but is directed at any company who facilitates ransomware payments to cyber actors on behalf of the victims. For example, any of the following entities may be subject to OFAC sanctions: Financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.

The primary focus of the OFAC warning is to stop ransomware payments to criminals and adversaries with a “sanctions nexus.” OFAC maintains a variety of sanctions under its Cyber-Related Sanctions Program, and the warning makes clear that OFAC “will continue to impose sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Additionally, OFAC points out that U.S. persons are generally prohibited from engaging in transactions with individuals or entities on the OFAC’s Specially Designated National and Blocked Persons List and those covered by comprehensive country or region embargoes.

If an individual or company becomes victim to a ransomware attack, the OFAC has made it clear that prompt reporting and cooperation is critical:

“Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.”

To the extent that any entity chooses to make or facilitate a ransomware payment, this should be done pursuant to an OFAC license. The OFAC warning indicates that license applications will be reviewed on a case-by-case payment and will be presumed denied.

If an individual or company becomes victim to a ransomware attack involving a sanctions nexus, they should voluntarily contact OFAC immediately. Additionally, companies with potential sanctions exposure should implement a risk-based compliance program to manage these issues in a systematic manner.