On October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The Advisory, which does not carry the force of law, warns financial institutions, cyber insurance carriers, and other institutions that facilitate ransomware payments to malicious cyber actors on behalf of victims of ransomware attacks, that doing so may expose those institutions to hefty civil penalties under several federal regulations.
For the last several years, OFAC has sanctioned several malicious cyber actors under various sanctions programs. Malicious actors that OFAC has sanctioned include the Lazarus Group, which was responsible for the WannaCry 2.0 infection of approximately 300,000 computers globally in 2017, and Evil Corp., a Russian criminal organization that used malware to infect computers and harvest login credentials from financial institutions in approximately 40 countries. In addition to imposing sanctions on these malicious actors, OFAC has imposed sanctions on any institutions or organizations that materially assist, sponsor, or provide financial, material, or technical support for their activities.
As the Advisory provides, under both the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly,” with entities or persons on OFAC’s Specially Designated Nationals and Block Persons List (SDN List), and those covered by country embargoes, such as Iran, North Korea, and Syria. U.S. persons are also prohibited from engaging in transactions with non-U.S. persons that would cause other U.S. persons to violate IEEPA.
OFAC issued the Advisory primarily to warn institutions and cyber insurance carriers that facilitating ransomware payments may cause inadvertent payments to malicious actors on the SDN list or to persons in countries on the embargo list. Ignorance of a payment’s ultimate destination is no excuse -- OFACS’s regulations provide for strict liability, meaning that OFAC can and will levy civil penalties against even those facilitators who did not know that they were facilitating payments to hackers on OFAC’s sanctions lists.
OFAC’s rationale for the Advisory is simple: OFAC believes that facilitating ransomware payments to malicious cyber actors may enable criminals and persons on OFAC’s lists to profit from their illegal activities. Ransomware payments made to sanctioned persons or jurisdictions could be used to fund activities “adverse to the national security and foreign policy objectives of the United States,” and “embolden cyber actors to engage in future attacks.”
Financial institutions, in particular, should pay close attention to this Advisory. OFAC encourages ransomware victims and facilitators of payments to contact OFAC if they believe that a request for a ransomware payment may have a “sanctions nexus,” or otherwise involve actors on OFAC sanctions lists. Contacting law enforcement and regulators before issuing any payment may thus not only be appropriate for victims of ransomware attacks, but may ultimately significantly mitigate any penalties that OFAC may choose to impose on facilitators for payments to actors with a sanctions nexus.