The U.S. Treasury Department has issued an updated ransomware advisory that highlights sanctions risks associated with ransomware payments and details proactive steps companies can take to mitigate these risks.
On September 21, 2021, the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") took several actions relating to ransomware, including designating an exchange and issuing guidance. Last October, OFAC issued an Advisory highlighting the sanctions risks faced by parties that make or facilitate ransom payments to malicious cyber actors. OFAC's new Advisory supersedes its earlier guidance and reiterates these risks, emphasizing that facilitating ransomware payments on behalf of a victim may violate OFAC regulations, and provides guidance for ransomware victims.
For the first time, OFAC designated a virtual currency exchange for complicit financial services. OFAC noted that SUEX OTC, S.R.O. ("SUEX") facilitated transactions involving proceeds from roughly eight ransomware variants and that more than 40% of SUEX's "known transaction history is associated with illicit actors." OFAC indicated that it would continue to use its authorities to "disrupt financial nodes tied to ransomware payments…."
Under its updated guidance, OFAC underscored that companies that unknowingly make or facilitate a payment to a threat actor that is on or has a substantial nexus to an entity on the sanction list may be liable for a sanctions violation. OFAC stated that it will consider, in deciding whether to take enforcement action, whether a company has taken "meaningful steps" to reduce the risk of extortion through improving or adopting cybersecurity practices, specifically those highlighted in the Cybersecurity and Infrastructure Security Agency's ("CISA") September 2020 Ransomware Guide. Meaningful steps include developing incident response plans, maintaining offline backups of data, and employing authentication protocols. OFAC noted that such efforts could be a "significant mitigating factor" in enforcement responses.
OFAC also explained that for ransomware payments that may have a sanctions nexus, it will consider a complete voluntary report of an attack to law enforcement or other relevant U.S. government agencies (including CISA or Treasury's Office of Cybersecurity and Critical Infrastructure Protection), "made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor" in enforcement responses. OFAC indicated that such a report and cooperation during an investigation would result in the agency being more likely to resolve an apparent violation with a nonpublic response.
OFAC's announced actions are part of a broader counter-ransomware strategy that focuses on the need for collaboration between the public and private sectors and close relationships with international allies.