Ransomware is malicious software that blocks access to computer systems or data, often through encryption, in an effort to extort payments from victims in return for restoring access to the affected systems and data. Ransomware attacks not only disrupt business operations, but increasingly are accompanied by threatened public disclosure of stolen data. These tactics escalate the pressure to pay ransoms. In response to the increase in the number and sophistication of ransomware attacks, as well as the potential national security threat posed by ransom payments to sanctioned parties, on October 1, 2020, OFAC issued an Advisory highlighting the sanctions risks faced by parties that make or facilitate ransom payments to malicious cyber actors. The Advisory emphasized the potential for civil penalties under the International Emergency Economic Powers Act ("IEEPA") and the Trading With the Enemy Act ("TWEA"). While the OFAC Advisory does not herald or discuss a change in the law, it suggests the possibility of more active regulatory enforcement—and the corresponding need for companies to mitigate risk. OFAC's concern is shared in many respects by other countries comprising the Group of Seven ("G7"), which issued a statement on October 13 regarding the proliferation of ransomware attacks and expressing a commitment to increased information sharing and coordination to combat this rising threat.
OFAC's Focus on National Security Concerns
Since 2016, OFAC has added high-profile entities, individuals, and cryptocurrency wallet addresses associated with ransomware variants, including those associated with Cryptolocker, SamSam, WannaCry, and Dridex malware, to its list of Specially Designated Nationals and Blocked Persons ("SDN List"). These designations are driven by OFAC's concern that ransom payments can help criminals and adversaries further their illicit aims and fund activities adverse to U.S. national security and foreign policy objectives. OFAC's Advisory emphasizes the broad reach of its regulations—which include civil monetary penalties of the greater of $305,292 per violation or twice the value of the transaction that forms the basis of the violation. The breadth of OFAC's regulations, coupled with its current focus on facilitating ransom payments, underscores the sanctions risk for victims and companies (including those assisting the victims) involved in incident response. To further emphasize its view regarding the threat posed by these payments, OFAC noted that it will review license applications involving ransomware payment demands on a case-by-case basis—with a presumption of denial.
The Implications of OFAC's Advisory for Companies
In the face of OFAC's concerns and potential liability, companies confronted with a ransomware attack face significant risk. In some situations, a company may know or suspect that a threat actor demanding a ransom has a sanctions nexus—a scenario presenting heightened risks. In many situations, however, a company may not know the malicious actor's identity. Indeed, a company may have no reasonable basis to believe that the threat actor is on the SDN List or have any nexus to sanctioned parties. However, because OFAC's regulations are enforced on a strict liability basis, a company could be held civilly liable even if a ransom payment is made unknowingly to a sanctioned person.
OFAC's Advisory highlights serious sanctions risks that may change the calculus companies use when assessing whether to pay a ransom demand. The Advisory sets forth several actions companies can take to reduce the risk of an enforcement action. OFAC suggests that companies implement risk-based compliance programs specifically focused on mitigating the risk that a ransom payment may involve sanctioned individuals or jurisdictions. The Advisory notes that this suggestion also applies to intermediaries engaged by victims to provide services that involve processing ransom payments, cyber insurance, and digital forensic and incident response services.
The Advisory also provides that OFAC will consider a company's self-initiated, full, and timely report of a ransomware attack to law enforcement, as well as continued cooperation both during and after the incident, to be significant mitigating factors when assessing an appropriate enforcement response in the event of an apparent violation.
Finally, OFAC encourages ransomware victims and companies involved in helping victims to "contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus." It also urges victims to contact the U.S. Department of the Treasury's Office of Cybersecurity and Critical Infrastructure Protection if the incident involves a United States financial institution or could cause a significant disruption involving a critical financial service.