On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments.  In particular, the alert targeted “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response….”  While this is an advisory and does not have the force of law, it still bears close attention as an indication of OFAC’s policy positions.

This advisory highlights OFAC’s designations of malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program. It also identifies U.S. government resources for reporting ransomware attacks and provides information on the factors OFAC generally considers when determining an appropriate enforcement response to an apparent violation, such as the existence, nature, and adequacy of a sanctions compliance program. The advisory also encourages financial institutions and other companies that engage with victims of ransomware attacks to report such attacks to and fully cooperate with law enforcement, as these will be considered significant mitigating factors.

Given that this advisory flies in the face of the advice and practices of many forensic firms, any payments to ransomware attackers should be considered even more cautiously than before.  At the very least, before making any ransomware payments, counsel versed in OFAC compliance should be consulted.