On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory regarding potential sanctions risks related to facilitating ransomware payments, as covered in this post from Foley Hoag’s Security, Privacy, and the Law blog.
OFAC is the federal agency responsible for implementing and enforcing U.S. sanctions against individuals, entities, and foreign governments involved in terrorism, narcotics trafficking, activities related to the proliferation of weapons of mass destruction, and other threats to the national security or foreign policy of the United States. Absent a license, U.S. persons are prohibited from engaging in or facilitating transactions with individuals or entities sanctioned by OFAC (known as “Specially Designated Nationals” or “SDNs”). Generally speaking, as part of a prudent compliance program to protect against the risks of engaging in prohibited transactions, companies should routinely screen the parties with whom they are transacting business against various sanctions lists and conduct reasonable diligence to identify potential red flags. For more information on structuring an effective compliance program, see this Trade Sanctions and Export Controls Alert.
Ransomware is a type of malicious software (malware) which blocks access to a victim’s computer systems or data, often by using encryption. The attackers then demand a ransom payment in digital currency in exchange for unblocking access to the data, usually through a decryption key or unlock code. The malware may appear to be a legitimate file or email attachment that the victim unknowingly downloads or opens.
The advisory notes that ransomware attacks have increased during the COVID-19 pandemic, as malicious actors target computer systems used for conducting business remotely. Even before the pandemic, attacks were on the rise: from 2018 to 2019, the Federal Bureau of Investigation reported a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses. While ransomware attacks targeting large financial institutions or government entities often gain media attention, ransomware attacks can impact businesses of all sizes and in all industries. Recently, on September 27th, Universal Health Services (UHS), a Pennsylvania-based health services provider, was hit with a ransomware attack that shut down its IT systems for three weeks in 250 of its hospitals around the country. In addition, because smaller businesses are often less likely to invest in cyber protection resources, they may be more vulnerable to attacks.
Making or facilitating a payment to an SDN would violate U.S. sanctions. As ransomware attacks are usually carried out by individuals or groups acting anonymously or under a pseudonym, it may be difficult to determine the identity of the attacker, making sanctions screening a challenge, and adding another level of complexity to the decision of whether to pay ransom or not. Ransomware attacks have been linked to groups in Iran, North Korea, and Russia. In May 2017, a ransomware attack carried out by the Lazarus Group known as “WannaCry 2.0” impacted approximately 300,000 computers in at least 150 countries. The Lazarus Group was sponsored by the North Korean government, and was sanctioned by OFAC in September 2019. OFAC actively sanctions malicious cyber actors under Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” and Executive Order 13757, “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.” While these sanctions target the attackers themselves, they also cover persons who have “materially assisted” sanctioned individuals or entities, which can include facilitating ransomware payments to SDNs.
Victims of ransomware attacks should be aware that they are at risk of violating U.S. sanctions if they engage transactions with malicious cyber actors, even if they believe that paying up is the only way to get access to their data back. OFAC stresses that making payments to malicious actors can fund activities contrary to U.S. national security, and that paying ransom is no guarantee that the victim will regain access.
In addition, U.S. persons may be liable under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) for engaging in transactions with individuals or entities who are SDNs. This is true even if the U.S. person didn’t know or have reason to know that they were engaging in a prohibited transaction with a SDN. Violating U.S. sanctions can result in criminal liability and jail time, as well as hefty monetary fines. And companies can suffer serious reputational harm from being charged with facilitating terrorism and acting against U.S. national security interests.
As we are increasingly dependent on our computer systems and our critical data is likely to be stored digitally, a ransomware attack may feel as threatening as being held at gunpoint. The business disruption and financial consequences can be very substantial, particularly for businesses without adequate backup and disaster recovery programs in place. However, the U.S. government does not consider mere economic coercion or even catastrophic financial consequences to excuse violations of these laws.
This divide between threats to economic interests vs. imminent threats to physical health and safety is not new. As stated in guidance released in 2012 regarding the U.S. Foreign Corrupt Practices Act (FCPA), “[m]ere economic coercion, however, does not amount to extortion.” Generally, payments to malicious actors made under the threat of imminent physical harm will not incur liability, but payments made under purely economic duress will likely not be considered by the U.S. government to rise to the level of true extortion, even if a business is at risk of financial ruin if their data is destroyed. However, as seen in the recent UHS ransomware attack which blocked access to patient medical records for several weeks, the line between economic impact and threats to physical health and safety is not always clear.