The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has just issued an advisory stating that "The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks." The Advisory also states that "Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations."
What is Ransomware?
According to the Department of the Treasury, "Ransomware is a form of malicious software ("malware") designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims' access to their systems or data.
In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous. According to the Federal Bureau of Investigation (FBI), there was a nearly 21 percent increase in reported ransomware cases and a 225 percent increase in associated losses from 2019 to 2020."
How does OFAC play in?
OFAC maintains a cyber-related sanctions program and other sanctions programs. Among sanctioned actors are perpetrators of ransomware attacks and those who facilitate ransomware transactions (like crypto exchanges).
As per the International Emergency Economic Powers Act (IEEPA) or the
Trading with the Enemy Act (TWEA), "U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
Additionally, any transaction that causes a violation under IEEPA, including a transaction by a non-U.S. person that causes a U.S. person to violate any IEEPA-based sanctions prohibitions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons that could not be directly performed by U.S. persons due to U.S. sanctions regulations."
OFAC has the authority to impose civil penalties for sanctions violations based on strict liability. This means that a person or entity can be held liable even if they did not know or have reason to know that they were engaging in a transaction that was prohibited under sanctions laws. This is a significant risk that needs to be taken into account if a company is considering paying the ransom. If a ransom is paid that is found to violate sanctions, OFAC may be more lenient if the company adopts strong cybersecurity practices and cooperation with law enforcement.
What should you do if there is a ransomware attack?
Per OFAC, all victims and those involved with addressing ransomware attacks are encouraged to report the incident to CISA (Cybersecurity and Infrastructure Security Agency), their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Furthermore, "[v]ictims should also report ransomware attacks and payments to Treasury's OCCIP and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment." Such a voluntary self-disclosure can serve to mitigate any enforcement action taken by OFAC.
Are there exceptions?
Yes, technically, you can apply with OFAC for a license to conduct the transaction. However, these applications are reviewed by OFAC on a case-by-case basis with a presumption of denial.
Be very careful. The government strongly discourages paying ransomware ransoms. The best thing you can do is improve your cybersecurity posture and ensure that you keep up-to-date redundancy in a segregated network that can be quickly deployed in the case of ransomware. Please feel free to contact Digital Edge if you have any cybersecurity or compliance questions.