In the Biden Administration’s latest effort to respond to the growing threat of ransomware attacks, on September 21, 2021, the U.S. Department of the Treasury (“Treasury”) announced new sanctions and ransomware guidance in an attempt to curb the disruptive increase in ransomware attacks. The actions are the latest signal from the Administration that the U.S. government views such attacks as a national security threat and that it will continue to undertake a “whole-of-government effort” against that threat.
Specifically, Treasury’s Office of Foreign Assets Control (“OFAC”) released an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Advisory”) that:
- emphasizes that the U.S. government strongly discourages the payment of cyber ransom or extortion demands,
- reminds companies that numerous ransomware groups and other malicious cyber actors have been sanctioned and that facilitating or making payments with a U.S. nexus to such actors violates OFAC regulations and could result in civil penalties, and
- identifies numerous mitigating actions that victims of ransomware attacks can take to reduce the risk of an enforcement action, such as (i) adopting cybersecurity best practices and (ii) timely notification of law enforcement in the event of an attack.
Concurrently, OFAC designated SUEX OTC, S.R.O. (“SUEX”), a virtual currency exchange popular among ransomware groups and other criminal organizations, as a Specially Designated National (“SDN”). OFAC’s designation of SUEX was the first sanctions designation against a virtual currency exchange. Treasury’s sanctions and guidance underscore that OFAC is focused on disrupting criminals’ ability to profit from ransomware attacks, not on going after victims who act responsibly by notifying law enforcement and taking preventative steps to shore up their security.
These actions reinforce that it is critical for companies to think through how to implement best practices from a cybersecurity perspective, as well as how to engage with law enforcement and OFAC when falling victim to a ransomware attack and considering whether to pay. Treasury emphasized the need for “partnership between the public and private sector and close relationships with international partners” to counter the threat from ransomware and cyberattacks.
Updated Ransomware Guidance
Of significant interest to industry, Treasury published an update to its October 2020 advisory, which we discussed in a previous alert, addressing potential sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. The Updated Advisory is notable in several respects.
- As a general matter, OFAC encourages financial institutions and other companies to implement risk-based compliance programs to mitigate exposure to sanctions-related violations. The Updated Advisory stresses that all companies engaged with ransomware victims should ensure that their sanctions compliance programs account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively sanctioned jurisdiction.
- The Updated Advisory marks the first time that OFAC has publicly stated that taking steps to improve cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (“CISA”) September 2020 Ransomware Guide, is a significant mitigating factor in any OFAC enforcement response. Such steps include maintaining offline backups of data, developing incident response plans, conducting regular vulnerability scans, patching software, and employing multifactor authentication, among others.
- Another mitigating factor that OFAC will consider is the reporting of ransomware attacks to appropriate U.S. government agencies and the nature and extent of cooperation with OFAC and appropriate law enforcement. The Updated Advisory encourages all victims and those involved with responding to ransomware attacks to report the incident to CISA, local FBI field offices, the FBI Internet Crime Complaint Center, or local U.S. Secret Service offices as soon as possible. Specifically, the Updated Advisory provides that OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”), to be a voluntary self-disclosure for OFAC enforcement purposes and a significant mitigating factor in determining an appropriate enforcement response.
- OFAC explained that it would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party implemented appropriate cybersecurity measures to prevent an attack, reported the ransomware attack to law enforcement as soon as possible, and provided ongoing cooperation with applicable U.S. government agencies and law enforcement.
OFAC zeroed in on SUEX as the first virtual currency exchange to be subject to U.S. sanctions due to its close association with various ransomware variants. According to Treasury, the exchange was involved in facilitating transactions for at least eight ransomware variants. U.S. government analysis of SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors, predominantly related to ransomware. OFAC designated SUEX as an SDN pursuant to Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” for providing material support to criminal ransomware actors.
As a result of SUEX’s designation as an SDN, all property and interests in property of SUEX that are subject to U.S. jurisdiction are now blocked, and U.S. persons are generally prohibited from engaging in transactions with SUEX. Additionally, any entities 50% or more owned by SUEX are also blocked. Of likely greater significance in the battle to stem ransomware attacks is the fact that financial institutions and other persons that engage in certain transactions or activities with SUEX potentially expose themselves to primary and/or secondary sanctions or could be subject to an enforcement action.
The sanctions against SUEX will be a bellwether for whether U.S. sanctions are effective against cryptocurrency exchanges. To conduct its transactions, SUEX has relied on the infrastructure of established cryptocurrency exchanges, which are now prohibited from dealing with it. We expect to see an enhanced sanctions focus on unregulated exchanges that facilitate the conversion of illicit cryptocurrency profits into real-world currency, which in turn will place greater pressure on established cryptocurrency exchanges to avoid less reputable exchanges. If OFAC is successful in disrupting SUEX’s and similar exchanges’ operations, it will force criminals to platforms that are easier for law enforcement to track. That, in turn, could result in the ability of law enforcement to identify and charge ransomware groups, and seize ransomware payments, as was the case when U.S. law enforcement officials recovered $2.3 million in bitcoin paid in the Colonial Pipeline ransomware incident earlier this year.
While Treasury’s actions express a strong U.S. government stance against ransomware payments, when analyzed closely, the sanctions and guidance reiterate that OFAC is focused on disrupting criminals’ ability to profit from ransomware attacks, not on penalizing good-faith victims who act responsibly by notifying law enforcement and taking preventative steps to shore up their security. Companies now have a helpful roadmap for steps to take to avoid a sanctions enforcement action when dealing with ransomware incidents:
- ensure your company has appropriate cybersecurity measures in place to prevent ransomware attacks in the first place;
- consider reporting an attack as soon as possible to relevant U.S. government agencies and appropriate law enforcement authorities;
- if a payment is contemplated, conduct due diligence on who and where the payment may be going; and
- develop an OFAC engagement strategy in the event you identify a potential sanctions nexus.
Additionally, cryptocurrency exchanges need to conduct heightened due diligence in anticipation of new rounds of sanctions. With this roadmap in hand, companies should be able to navigate the sanctions-related challenges presented by any ransomware attack.