Facilitating Ransomware Payments Entails Sanctions Risks, OFAC Warns

Gregory Marshall, Erin Sullivan
Bradley Arant Boult Cummings LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Bradley Arant Boult Cummings LLP

The Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, warning companies that engage with the victims of ransomware attacks that they run the risk of violating U.S. sanctions by facilitating ransomware payments. Ransomware attacks have increased in number and sophistication in recent years and have netted larger and larger payments from victims seeking to regain access to their digital systems and files or to prevent the threatened release of private information. The OFAC advisory cites FBI reports showing an annual increase of 37% in ransomware attacks and 147% in related losses from 2018 to 2019, and observes that payment demands associated with ransomware attacks have increased since the COVID-19 pandemic has forced businesses into greater reliance on online systems.

Individuals and entities behind or associated with ransomware attacks have been designated under various U.S. sanctions programs, including perpetrators and facilitators of attacks based in Iran, North Korea, and Russia. Companies that respond to ransomware attacks — including cyber-insurers, forensic investigation and response specialists, and financial services companies that facilitate ransom payments — face potential strict liability if their actions run afoul of applicable sanctions. OFAC may impose civil penalties even if the company in question did not realize it was transacting with a sanctioned individual or entity.

OFAC advises businesses that interact with ransomware victims to adopt or strengthen risk-based sanctions compliance programs that recognize and respond to sanctions risks presented by ransomware attacks. The existence and adequacy of such programs are  factors considered by OFAC in determining what, if any, penalty to impose for a sanctions violation. Further, the voluntary, timely, and complete report of a ransomware attack to law enforcement and full cooperation with law enforcement during and after the attack will be considered “significant mitigating factors” in OFAC’s enforcement decision if it turns out that sanctions were violated by the response to the attack.

Consistent with the official position of other federal agencies, OFAC considers payments to ransomware perpetrators to encourage criminal activity and to threaten national security. Therefore, OFAC will review applications for specific licenses involving ransomware attacks “on a case-by-case basis with a presumption of denial.”

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP
Bradley Arant Boult Cummings LLP
Contact
more
less

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide