Facilitating Ransomware Payments Entails Sanctions Risks, OFAC WarnsThe Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, warning companies that engage with the victims of ransomware attacks that they run the risk of violating U.S. sanctions by facilitating ransomware payments. Ransomware attacks have increased in number and sophistication in recent years and have netted larger and larger payments from victims seeking to regain access to their digital systems and files or to prevent the threatened release of private information. The OFAC advisory cites FBI reports showing an annual increase of 37% in ransomware attacks and 147% in related losses from 2018 to 2019, and observes that payment demands associated with ransomware attacks have increased since the COVID-19 pandemic has forced businesses into greater reliance on online systems.

Individuals and entities behind or associated with ransomware attacks have been designated under various U.S. sanctions programs, including perpetrators and facilitators of attacks based in Iran, North Korea, and Russia. Companies that respond to ransomware attacks — including cyber-insurers, forensic investigation and response specialists, and financial services companies that facilitate ransom payments — face potential strict liability if their actions run afoul of applicable sanctions. OFAC may impose civil penalties even if the company in question did not realize it was transacting with a sanctioned individual or entity.

OFAC advises businesses that interact with ransomware victims to adopt or strengthen risk-based sanctions compliance programs that recognize and respond to sanctions risks presented by ransomware attacks. The existence and adequacy of such programs are  factors considered by OFAC in determining what, if any, penalty to impose for a sanctions violation. Further, the voluntary, timely, and complete report of a ransomware attack to law enforcement and full cooperation with law enforcement during and after the attack will be considered “significant mitigating factors” in OFAC’s enforcement decision if it turns out that sanctions were violated by the response to the attack.

Consistent with the official position of other federal agencies, OFAC considers payments to ransomware perpetrators to encourage criminal activity and to threaten national security. Therefore, OFAC will review applications for specific licenses involving ransomware attacks “on a case-by-case basis with a presumption of denial.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erin K. Sullivan Erin K. Sullivan

Erin Sullivan has years of experience representing corporate and individual clients involved in investigations, prosecutions, and civil enforcement actions by federal and state government entities. She routinely conducts internal investigations, whether prompted by an existing government investigation or initiated internally for business or…

Erin Sullivan has years of experience representing corporate and individual clients involved in investigations, prosecutions, and civil enforcement actions by federal and state government entities. She routinely conducts internal investigations, whether prompted by an existing government investigation or initiated internally for business or compliance reasons.

Photo of Gregory G. Marshall Gregory G. Marshall

A former federal prosecutor with extensive trial and appellate experience, Greg Marshall represents companies and individuals defending government enforcement, white-collar criminal, and civil litigation matters. Greg also conducts internal investigations and advises clients on compliance issues. He has assisted clients in the financial…

A former federal prosecutor with extensive trial and appellate experience, Greg Marshall represents companies and individuals defending government enforcement, white-collar criminal, and civil litigation matters. Greg also conducts internal investigations and advises clients on compliance issues. He has assisted clients in the financial services, healthcare, government contracting, technology, export, and education sectors.

Greg has defended investigations and cases involving the False Claims Act, the Sherman Act, the Foreign Corrupt Practices Act, the export control laws, and allegations of healthcare, corporate, securities, and tax fraud. He regularly handles matters involving the U.S. Department of Justice, federal agency Inspectors General, the U.S. Securities and Exchange Commission, state Attorneys General, and other federal and state enforcement agencies.