Ransomware payments continue to be a focus of the U.S. Treasury Department's Office of Foreign Assets Control ("OFAC"). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S. sanctions. In addition, OFAC, for the first time, added a foreign cryptocurrency exchange (SUEX OTC, S.R.O.) and a number of crypto addresses to its Specially Designated Nationals and Blocked Persons List.

OFAC's 2021 advisory strengthened the stern warning it gave last year: victims of ransomware attacks (and those who assist them) risk violating U.S. sanctions by facilitating ransomware payments if such payments go to sanctioned entities. The updated advisory then builds upon OFAC's prior warning by emphasizing three themes: (1) act prudently to protect yourself from attack; (2) immediately disclose and report an attack to law enforcement; and (3) cooperate with law enforcement and provide details on the attack as quickly as possible. OFAC may impose penalties for sanctions violations based on strict liability, and OFAC maintains, as a matter of policy, that license applications to make ransomware payments face a presumption of denial. Thus, OFAC is using its enforcement authority to encourage good practices before an attack, and to encourage swift reporting and cooperation after, as the best means to avoid or mitigate such penalties. We have highlighted some of the key updates below:

  • Prudent Self-Defense - The advisory includes new language that "strongly" discourages the payment of cyber ransoms and instead urges private companies to focus on "strengthening defensive and resilience measures to prevent and protect against ransomware."  As an example of prudent practices, OFAC points to the Cybersecurity and Infrastructure Security Agency's ("CISA") September 2020 Ransomware Guide.
  • Prompt Reporting - OFAC will consider a person's filing of a self-initiated, complete report of a ransomware attack to law enforcement as soon as possible to be "a voluntary self-disclosure and a significant mitigating factor" even if not directly disclosed to OFAC. OFAC encourages victims to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. OFAC also encourages victims to "contact" OFAC if there is any suspected sanctions nexus in connection with the attack. Voluntary reporting can result in "significant mitigation [of penalties] from OFAC when determining an appropriate enforcement response in the event a sanctions nexus is found in connection with a ransomware payment."
  • Timely Cooperation - Another "significant mitigating factor" that OFAC will consider is a company's cooperation with law enforcement both during and after a ransomware attack, including providing information on technical details, ransom payment demands, and ransom payment instructions as soon as possible. OFAC would be more likely to resolve apparent violations with a non-public response, such as a No Action Letter or a Cautionary Letter, if these mitigating factors are present.

The U.S. Congress is also now getting more involved. Various bills have been introduced in the House and the Senate, including a bipartisan Senate measure that would require many organizations - including not only critical infrastructure operators, but also non-profits, businesses with more than 50 employees, and state and local government entities - to report ransomware attacks to federal authorities. Much may change about these bills as they make their way through the legislative process, but as the risks continue to expand, it is clear that this issue is not going away any time soon.

Foley Hoag has comprehensive resources to help you protect against ransomware attacks, deal with an attack if you become a victim, and navigate potential sanctions risks:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.