The Office of Foreign Assets Control (OFAC) of the US
Department of Treasury today warned future victims of ransomware
attacks to be much more cautious about paying cybercriminal groups,
which may be sanctioned under U.S. sanctions programs. Payments of
any kind to sanctioned parties are prohibited under U.S. law unless
licensed by OFAC.
The OFAC advisory, available here, also applies to incident responders, financial institutions, insurance companies and law firms involved in helping with ransomware attacks, which could potentially face OFAC enforcement under broad facilitation prohibitions under U.S. sanctions programs. OFAC enforces a broad range of U.S. sanctions programs against countries such as Russia and Iran, but also targets organized criminal groups including cybercriminals.
OFAC has already designated some Russian and North Korean cybercriminal groups, and we expect more will be added as part of a concerted effort by the U.S. government to try to stifle an explosion in ransomware in 2020, accelerated in part by the shift to remote work during the pandemic. OFAC's concern is that the scale of ransomware payments reaching Iran and North Korea, for example, is undermining U.S. policies to isolate and pressure the regimes there—an implicit recognition that ransomware is generating significant revenue for these countries.
One bright spot in the guidance for incident responders is that OFAC notes the U.S. government will take a more measured approach to dealing with ransomware payment situations in which the victim is working with law enforcement, presumably because of the expectation that, whether the FBI or Secret Service, these will advise victims not to make payments to a known criminal group that is sanctioned by OFAC. More likely, we expect to see law enforcement to be less inclined to tacitly endorse payments to criminals going forward. OFAC also notes that while licensing for a payment is theoretically possible under the law, it will be taking a policy of presumptive denial. The reality is that most licensing applications presented to OFAC take many months to be processed even when they are likely to be approved, a timeline that is wholly unrealistic for any incident response.
Our initial view of the OFAC advisory is that it underscores the urgent need for companies to take strong steps to reduce the risk they face from ransomware. As damaging as a ransomware attack can be, victims are sometimes able to recover their data and systems by paying off the criminal. Now, victims may find themselves unable to make a ransom payment in a timely fashion while they try to identify whether the criminals are sanctioned under OFAC—an often impossible attribution problem. Even pausing a payment for several days to try to prove a negative around attribution could be a critical delay when a company's network is completely shut down by ransomware, as often happens.
Making a payment may also become a challenge when, lacking information on who the criminals are, victim companies are unable to rely on insurance coverage for the ransom payment under their cyber insurance policies or be unable to make a payment because their incident response team deems the risk of facilitating an OFAC violation too uncertain. Most victims do not have the means to make the large cryptocurrency payments demanded by criminals and have to rely on such intermediaries. In situations where the cybercriminal is strongly suspected of being a sanctioned party, even engaging in the necessary negotiations could run afoul of OFAC's broad prohibitions on any dealings with a blocked party's interest in certain property, such as a prospective ransom payment.
In this respect, it is important to keep in mind that much of OFAC's approach to blocked parties on the specially designated national (SDN) list flows from a strict liability standard, which does not require intent or knowledge of wrongdoing for a finding of a civil violation.
If you have questions about how to mitigate ransomware risks, how to prepare internally for dealing with an incident response, please contact our Data Security and Privacy team. Guillermo Christensen, a partner in our Washington, D.C. office, has handled cyber-incidents including ransomware events and through his national security law practice, regularly deals with OFAC and other U.S. government agencies. As a former CIA intelligence officer and a diplomat with the Department of State, Guillermo has a broad perspective on the inner workings of the national security interagency process that deals with issues such as U.S. sanctions/OFAC, CFIUS and export controls. Guillermo has represented clients in both civil and criminal OFAC enforcement actions and has implemented OFAC compliance programs for U.S. and non-U.S. entities.
The OFAC advisory, available here, also applies to incident responders, financial institutions, insurance companies and law firms involved in helping with ransomware attacks, which could potentially face OFAC enforcement under broad facilitation prohibitions under U.S. sanctions programs. OFAC enforces a broad range of U.S. sanctions programs against countries such as Russia and Iran, but also targets organized criminal groups including cybercriminals.
OFAC has already designated some Russian and North Korean cybercriminal groups, and we expect more will be added as part of a concerted effort by the U.S. government to try to stifle an explosion in ransomware in 2020, accelerated in part by the shift to remote work during the pandemic. OFAC's concern is that the scale of ransomware payments reaching Iran and North Korea, for example, is undermining U.S. policies to isolate and pressure the regimes there—an implicit recognition that ransomware is generating significant revenue for these countries.
One bright spot in the guidance for incident responders is that OFAC notes the U.S. government will take a more measured approach to dealing with ransomware payment situations in which the victim is working with law enforcement, presumably because of the expectation that, whether the FBI or Secret Service, these will advise victims not to make payments to a known criminal group that is sanctioned by OFAC. More likely, we expect to see law enforcement to be less inclined to tacitly endorse payments to criminals going forward. OFAC also notes that while licensing for a payment is theoretically possible under the law, it will be taking a policy of presumptive denial. The reality is that most licensing applications presented to OFAC take many months to be processed even when they are likely to be approved, a timeline that is wholly unrealistic for any incident response.
Our initial view of the OFAC advisory is that it underscores the urgent need for companies to take strong steps to reduce the risk they face from ransomware. As damaging as a ransomware attack can be, victims are sometimes able to recover their data and systems by paying off the criminal. Now, victims may find themselves unable to make a ransom payment in a timely fashion while they try to identify whether the criminals are sanctioned under OFAC—an often impossible attribution problem. Even pausing a payment for several days to try to prove a negative around attribution could be a critical delay when a company's network is completely shut down by ransomware, as often happens.
Making a payment may also become a challenge when, lacking information on who the criminals are, victim companies are unable to rely on insurance coverage for the ransom payment under their cyber insurance policies or be unable to make a payment because their incident response team deems the risk of facilitating an OFAC violation too uncertain. Most victims do not have the means to make the large cryptocurrency payments demanded by criminals and have to rely on such intermediaries. In situations where the cybercriminal is strongly suspected of being a sanctioned party, even engaging in the necessary negotiations could run afoul of OFAC's broad prohibitions on any dealings with a blocked party's interest in certain property, such as a prospective ransom payment.
In this respect, it is important to keep in mind that much of OFAC's approach to blocked parties on the specially designated national (SDN) list flows from a strict liability standard, which does not require intent or knowledge of wrongdoing for a finding of a civil violation.
If you have questions about how to mitigate ransomware risks, how to prepare internally for dealing with an incident response, please contact our Data Security and Privacy team. Guillermo Christensen, a partner in our Washington, D.C. office, has handled cyber-incidents including ransomware events and through his national security law practice, regularly deals with OFAC and other U.S. government agencies. As a former CIA intelligence officer and a diplomat with the Department of State, Guillermo has a broad perspective on the inner workings of the national security interagency process that deals with issues such as U.S. sanctions/OFAC, CFIUS and export controls. Guillermo has represented clients in both civil and criminal OFAC enforcement actions and has implemented OFAC compliance programs for U.S. and non-U.S. entities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
