On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The advisory acknowledges that the incidents of ransomware attacks on U.S. companies have risen during the COVID-19 pandemic. Although the advisory does not mention that companies have been paying ransoms when they are victimized, it has been publicly reported that companies have paid ransoms, particularly when data has been exfiltrated and the cybercriminals are threatening to post the data online unless a ransom is paid for confirmation of destruction, as is the scheme used by Maze. 

The advisory warns that paying ransoms “not only encourage future ransomware payment demands, but also may risk violating OFAC regulations.” The advisory “describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

If you want to read a well-written history of ransomware, read the advisory, as it lays out nicely the evolution of ransomware and its effect on businesses.

According to OFAC:

“[F]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

OFAC further states that “[C]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” These sanctions include civil penalties based on strict liability.

In light of the advisory, OFAC:

“encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (emphasis ours). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”

The OFAC advisory is a stark warning for responding to ransomware attacks and incident response. It lays out important considerations in determining how it may impact your incident response plan, questions to ask your cyber liability insurer about coverage around ransom payments, and the risks associated with a ransomware payment in your enterprise-wide risk management program.