On September 21, 2021, the U.S. Department of the Treasury announced two major actions by the Office of Foreign Asset Control (OFAC) to combat ransomware: the release of OFAC's Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Updated Advisory), and the first-ever sanctioning of a cryptocurrency exchange for transacting with ransomware gangs. These actions are part of the U.S. government's multi-agency effort to address the epidemic of ransomware attacks that have hobbled countless public and private entities, especially over the last few years.
The Updated Advisory sends a clear message: OFAC expects companies to take "[m]eaningful steps" to defend against and mitigate ransomware attacks, and to pay a ransom only as a last resort. If a victim company finds itself paying a ransom because it failed to adequately prepare for an attack, and if that payment involves a sanctioned person, the legal consequences could be severe.
The victim company and companies that facilitated the payment—such as financial institutions, insurers, incident response firms, and extortion payment negotiators—could face significant criminal and civil penalties. As OFAC can impose civil penalties on a strict liability basis, this means that companies may be found to have violated sanctions restrictions even if they had no reason to know that the ransom payment was made to a sanctioned person.
OFAC's decision to sanction SUEX OTC, S.R.O., a Russia-based cryptocurrency exchange, is also a warning to exchanges, financial institutions, and any other entities that could be deemed to facilitate ransom payments. Such firms are logical targets for OFAC's expanding anti-ransomware efforts and may need to take extra care to avoid transacting with sanctioned persons.
Yet, while OFAC's actions already have garnered significant attention—and for good reason, given the potentially severe penalties that could be imposed for violations of OFAC rules—the practical effect these actions will have is unclear. Most payments to ransomware attackers do not have an apparent nexus to OFAC-sanctioned persons, so whether the Updated Advisory will defer many payments is hard to say.
Also, the SUEX sanctions may not be a bellwether of enforcement against cryptocurrency exchanges more broadly. After noting that most activity on cryptocurrency exchanges is legitimate, the Treasury Department's press release characterized SUEX as a particularly bad actor.
The press release said that SUEX had facilitated payments involving at least eight types of ransomware and that "over 40 percent of SUEX's known transaction history is associated with illicit actors." It remains to be seen whether OFAC will focus only on outlier bad actors for ransomware-related sanctions.
With the potential limitations of OFAC's recent actions in mind, several steps are advisable:
- Companies should consider how their ransomware defense stack up against government and industry guidance and best practices.
The Updated Advisory cites the Cybersecurity & Infrastructure Security Agency's (CISA) September 2020 Ransomware Guide as a resource for companies and highlight practices like maintaining offline backups, developing incident response plans, providing cybersecurity training, and other measures. The White House's June 2021 open letter on defending against ransomware attacks, which DWT covered in a prior blog post, may also be helpful.
- Before paying a ransom, victim companies and those that may facilitate the payment must exercise due diligence in assessing whether the ransom recipient or other involved parties are subject to OFAC sanctions.
As DWT has previously discussed in a post analyzing a prior OFAC ransomware advisory, this assessment can be extremely difficult. Ransomware attackers take great care to conceal their identities, and sanctioned groups have been known to reappear with new names.
- Firms that may facilitate ransomware payments on behalf of victim companies should consider how the Updated Advisory impacts their businesses.
The Updated Advisory formally is directed to such firms, yet much of the guidance in it applies to victim companies. Firms that facilitate ransom payments could be in a tough situation. They might ask, for example, whether there is increased risk of OFAC enforcement if they facilitate payments for a victim company that had poor ransomware defenses in place. Victim firms that want to pay a ransom might face scrutiny from payment facilitators over whether they adopted adequate defenses or followed other guidance in the Updated Advisory.
- Cryptocurrency exchanges clearly are in regulators' crosshairs as part of the federal government's efforts to combat ransomware.
Exchanges should review their compliance programs related to OFAC sanctions and anti-money laundering/terrorist financing regulations to avoid transacting with any sanctioned persons.
The Updated Advisory
The Updated Advisory builds on an advisory from October 1, 2020 (Original Advisory). DWT analyzed the Original Advisory after it was published last year. Much of the content is similar, but there are several important differences:
- Although the federal government has consistently taken a position that companies should not pay ransomware attackers, the Original Advisory did not state that position explicitly. The Updated Advisory says in clear terms: "The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks."
- Both advisories provide various recommendations for mitigating risks and penalties under OFAC rules, such as maintaining a "risk-based compliance program" to avoid making ransom payments involving sanctioned persons and, for victim companies, timely reporting a ransomware attack to and cooperating with law enforcement. The Updated Advisory adds that OFAC will consider a victim company's meaningful efforts to prevent ransomware attacks and minimize their harm to be "a significant mitigating factor in any OFAC response."
- OFAC appears to be concerned that companies might simply bank on their ability to pay the attackers in the event of a ransomware attack, rather than adopting meaningful defenses and controls. This new guidance indicates that OFAC and potentially other federal government agencies will look harshly on any company that finds itself paying a ransom because it failed to make adequate investments in cybersecurity.
- The Updated Advisory also adds detail on OFAC's expectation that victim companies self-report ransomware attacks and payments, particularly where there may be a nexus to OFAC sanctions. Victims are advised to notify CISA, their local FBI field office, the FBI Internet Crime Complaint Center (known as "IC3"), their local U.S. Secret Service office, and Treasury's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
Payments identified as having a potential sanctions nexus should be reported to OFAC. Notification following a ransom payment might become mandatory: this week, a bipartisan bill was introduced in the Senate that would require a wide array of businesses to report making ransomware payments to the director of CISA within 24 hours.
An interesting and open question is how the Updated Advisory may impact companies that facilitate ransomware payments, such as financial institutions, insurers, incident response firms, and ransom payment negotiators. Both the updated and original advisories are formally directed to such companies but contain recommendations that really pertain to victim companies.
When the Original Advisory was published, many payment facilitator firms picked up on OFAC's recommendation that victims report ransomware attacks to law enforcement and began requiring that victims do so before facilitating a payment. It is possible that such firms will begin to decline to facilitate payments for victims with very poor cyber defenses or may require victims to make certain representations about their defenses.
Focus on Cryptocurrency Exchanges
In its other major anti-ransomware action, OFAC added SUEX, a Russia-based cryptocurrency exchange, and associated wallet addresses to its Specially Designated Nationals and Blocked Persons (SDN) List because of its role in facilitating transaction with ransomware actors. As a result, U.S. persons—including victims of ransomware and companies that facilitate ransomware payments, such as financial institutions, insurers, incident response firms, and extortion payment negotiators—are generally prohibited from transacting with SUEX.
OFAC previously has sanctioned several actors for their involvement in ransomware attacks, as detailed in the Updated Advisory. Prominent examples include OFAC's sanctioning of the North Korean state-sponsored Lazarus Group for carrying out the massive WannaCry 2.0 ransomware attack in 2017, and of Evil Corp, a notorious Russia-based cybercriminal organization. But its action against SUEX is the first time OFAC has sanctioned a cryptocurrency exchange for its involvement with the proceeds of ransomware attacks.
Cryptocurrency exchanges are a logical target for OFAC's anti-ransomware push. By sanctioning an exchange rather than a specific ransomware group, OFAC can at one time attempt to punish multiple groups that use the exchange to fund their activities. Doing so also allows OFAC to choke-off a key funding source for such groups without directly blocking any victim company from paying a ransom to an attacker to recover its network.
Moreover, sanctioning an exchange avoids the problem of sanctioned groups simply reemerging under a new name. Numerous security experts have reported that Evil Corp. has rebranded its ransomware following OFAC's sanctions against the group.
OFAC is not alone in targeting cryptocurrency exchanges as a strategy for combatting ransomware. As noted in its press release, the Treasury Department's Financial Crimes Enforcement Network (FinCEN) issued guidance in 2013 and 2019 applying AML and terrorist financing rules under the Bank Secrecy Act to cryptocurrency exchanges, and has brought enforcement actions against several exchanges, such as BTC-e and Helix, for processing the proceeds of ransomware attacks.
Standing alone, the recent OFAC actions to combat ransomware are significant. The actual effect they will have in deterring ransomware attacks and payments though, is unclear. DWT will continue to follow OFAC activities on ransom payments and the federal government's numerous other efforts to address the ransomware attacks generally.