Ransomware payments continue to be a priority for the Office of Foreign Assets Control (“OFAC”) of the US Treasury Department. As previously reported by Foley Hoag, on October 1, 2020, OFAC issued an advisory regarding potential sanction risks associated with facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated his review provide additional guidance on what OFAC considers mitigating factors if facilitating a ransomware payment results in an apparent violation of US sanctions. In addition, OFAC has, for the first time, added a foreign cryptocurrency exchange (SUEX OTC, SRO) and a number of crypto addresses to its list of specially designated nationals and blocked persons.

OFAC’s 2021 advisory reinforced the stern warning it gave last year: Victims of ransomware attacks (and those who help them) risk violating US sanctions by facilitating payments of ransomware. ransomware if these payments are made to sanctioned entities. The updated advisory then builds on OFAC’s prior warning with an emphasis on three themes: (1) act with caution to protect yourself against attacks; (2) immediately disclose and report an attack to law enforcement; and (3) cooperate with law enforcement and provide details of the attack as quickly as possible. OFAC may impose penalties for strict liability sanctions violations, and OFAC maintains, as a policy, that license applications to make ransomware payments face a deemed denial. Thus, OFAC uses its enforcement power to encourage good practices before an attack, and to encourage prompt reporting and cooperation afterwards, as the best way to avoid or mitigate such sanctions. We’ve highlighted some of the major updates below:

• Cautious self-defense – The advisory includes new language that “strongly” discourages the payment of cyber ransoms and instead urges private companies to focus on “strengthening defensive and resilient measures to prevent and protect against ransomware”. As an example of prudent practices, OFAC cites the Cybersecurity and Infrastructure Security Agency (“CISA”) Ransomware Guide for September 2020.
• Quick reports – OFAC will consider the filing by an individual of a complete and self-initiated report of a ransomware attack with law enforcement as soon as possible as “voluntary self-disclosure and a significant mitigating factor”, even if it is not directly disclosed to OFAC. OFAC encourages victims to report the incident to the CISA, their local FBI office, the FBI Internet Crime Complaints Center, or their local U.S. Secret Service office as soon as possible. OFAC also encourages victims to “contact” OFAC if there is a suspicious link between the sanctions and the attack. Self-reporting may result in “significant mitigation [of penalties] OFAC when determining an appropriate response to the application in the event that a sanction link is found in relation to a ransomware payment. “
• Timely cooperation – Another “important mitigating factor” that OFAC will consider is a company’s cooperation with law enforcement during and after a ransom attack, including providing information on technical details, payment requests for ransom and ransom payment instructions as soon as possible. OFAC would be more likely to resolve apparent violations with a non-public response, such as a letter of no action or a letter of caution, if these mitigating factors are present.

The US Congress is also getting more and more involved. Various bills have been introduced in the House and Senate, including a bipartisan Senate measure that would require many organizations – including not only critical infrastructure operators, but also nonprofits, businesses in addition of 50 employees and state and local government entities – report ransomware attacks to federal authorities. Much can change about these bills as they move through the legislative process, but as the risks continue to spread, it is clear that this problem will not go away anytime soon.

Foley Hoag has comprehensive resources to help you protect yourself against ransomware attacks, deal with an attack if you fall victim to it, and manage potential penalty risks:

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.