The Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, warning companies that engage with the victims of ransomware attacks that they run the risk of violating U.S. sanctions by facilitating ransomware payments. Ransomware attacks have increased in number and sophistication in recent years and have netted larger and larger payments from victims seeking to regain access to their digital systems and files or to prevent the threatened release of private information. The OFAC advisory cites FBI reports showing an annual increase of 37% in ransomware attacks and 147% in related losses from 2018 to 2019, and observes that payment demands associated with ransomware attacks have increased since the COVID-19 pandemic has forced businesses into greater reliance on online systems.
Individuals and entities behind or associated with ransomware attacks have been designated under various U.S. sanctions programs, including perpetrators and facilitators of attacks based in Iran, North Korea, and Russia. Companies that respond to ransomware attacks — including cyber-insurers, forensic investigation and response specialists, and financial services companies that facilitate ransom payments — face potential strict liability if their actions run afoul of applicable sanctions. OFAC may impose civil penalties even if the company in question did not realize it was transacting with a sanctioned individual or entity.
OFAC advises businesses that interact with ransomware victims to adopt or strengthen risk-based sanctions compliance programs that recognize and respond to sanctions risks presented by ransomware attacks. The existence and adequacy of such programs are factors considered by OFAC in determining what, if any, penalty to impose for a sanctions violation. Further, the voluntary, timely, and complete report of a ransomware attack to law enforcement and full cooperation with law enforcement during and after the attack will be considered “significant mitigating factors” in OFAC’s enforcement decision if it turns out that sanctions were violated by the response to the attack.
Consistent with the official position of other federal agencies, OFAC considers payments to ransomware perpetrators to encourage criminal activity and to threaten national security. Therefore, OFAC will review applications for specific licenses involving ransomware attacks “on a case-by-case basis with a presumption of denial.”