On October 1, 2020, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) each issued advisories addressing the risks associated with facilitating ransomware payments: the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (OFAC Ransomware Advisory) and the Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FIN-2020-A006 (FinCEN Ransomware Advisory), respectively. These advisories represent the first time that OFAC and FinCEN have issued guidance that specifically addresses ransomware payments, which, as each has noted in the respective advisories, are increasing in demand during the COVID-19 pandemic and "are a growing concern for the financial sector because of the critical role financial institutions play in the collection of ransom payments."1 The advisories build on other US government guidance on ransomware attacks, such as an interagency Ransomware Executive One-Pager and Technical Document, which acknowledges that "when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers," and previous OFAC sanctions designations targeting cryptocurrency exchangers who facilitated the conversion of bitcoin earned in ransomware attacks into Iranian rials.
The advisories broadly identify two main areas of regulatory risk. The first is the risk of a violation of OFAC's sanctions regulations. As OFAC reminds the public in its Ransomware Advisory, "OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction that is prohibited under sanctions laws and regulations administered by OFAC." Indeed, this risk is often encountered by banks and other companies responding to ransomware attacks because the attacker can obscure its identity and because some prolific ransomware hackers are linked to sanctioned actors, such as the North Korean government and Russian cybercriminals who inhabit a gray zone between that country's security services and its organized crime groups.
Furthermore, as FinCEN notes in the FinCEN Ransomware Advisory, "[m]any ransomware schemes involve convertible virtual currency (CVC), the preferred payment method of ransomware perpetrators," which can further obfuscate the destination of the payout funds, thereby exacerbating the risk under the OFAC sanctions regulations that victims of ransomware attacks do not know the identity of their attackers. Victims and companies assisting them may use blockchain forensic tools and other open-source research methods to try to determine whether an address provided by an attacker has been associated with a sanctioned person. But where the identity of attackers is known to be the target of OFAC's sanctions, OFAC has stated that it will review license applications "on a case-by-case basis with a presumption of denial."
The second area of risk is the requirement that financial institutions file Suspicious Activity Reports (SARs) involving ransomware. Financial institutions are at particular risk when confronting ransomware attacks because they may be required to file a SAR whether they are the victim of the ransomware attack or are merely initiating or processing payments on behalf of their victimized clients. The FinCEN Ransomware Advisory reminds financial institutions that they "should determine if filing a SAR is required or appropriate when dealing with an incident of ransomware conducted by, at, or through the financial institution, including ransom payments made by financial institutions that are victims of ransomware." It provides specific SAR filing instructions so that financial institutions reference the FinCEN Ransomware Advisory by associating the suspicious activity being reported with ransomware.
Although the OFAC Ransomware Advisory specifically calls on financial institutions to implement risk-based compliance programs to mitigate the risk of a sanctions violation arising from a ransomware attack, it also identifies cyber insurance, digital forensics and incident response firms as among those that should maintain compliance programs to "account for the risk that a ransomware payment may involve [a Specially Designated National or Blocked Person], or a comprehensively embargoed jurisdiction." The FinCEN advisory also cautions that by facilitating ransomware payments, these firms may be engaging in money transmission, thereby requiring registration with FinCEN as money service businesses and triggering Bank Secrecy Act obligations, including filing of SARs. Such activity may also give rise to obligations under state money transmission laws, including licensing requirements.
Both advisories contemplate that those involved in responding to ransomware attacks will inform or otherwise support law enforcement as part of their response to attacks. OFAC helpfully affirms that it will consider a "self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus." Such an interpretation of OFAC's Enforcement Guidelines—under which OFAC will also consider the extent to which a company cooperated with law enforcement during and after a ransomware attack—tempers what would otherwise be a less flexible application of the strict liability sanctions regime. Where a SAR filing is not required, the FinCEN Ransomware Advisory contemplates voluntary filings "to aid law enforcement in protecting the financial sector." The FinCEN Advisory also recognizes that financial institutions may share information with one another about computer fraud and extortion under Section 314(b) of the USA PATRIOT Act.
The FinCEN Advisory identifies five trends of ransomware attacks:
- increasing engagement by attackers on "larger enterprises to demand bigger payouts," so-called big-game hunting;
- sharing of resources among cybercriminals, including ransomware exploit kits with "ready-made malicious codes and tools" and the formation of partnerships among cybercriminals;
- engaging in "double extortion schemes," whereby attackers steal sensitive data, encrypt system files and demand ransom, followed by threatening to publish or sell the stolen data if ransom is not paid;
- using anonymity-enhanced cryptocurrencies, or AECs, and—in some cases—offering "discounted rates to victims who pay their ransoms in AECs"; and
- using "fileless" ransomware in which attackers can overcome a victim's cyber defenses through the use of malicious code written into system memory.
Financial institutions should also review their financial crimes compliance controls in light of the new guidance. FinCEN also identified a number of red-flag indicators to help financial institutions, especially cryptocurrency exchanges, identify potentially reportable transactions. These include:
- transactions with digital forensics firms that are known to make ransomware payments;
- certain types of rapid back-to-back movements of cryptocurrencies (which resemble typologies of high-risk fiat currency payments);
- accounts established or transactions conducted that lack an obvious connection to the customer's business or expected activity and may be a sign that the person is making a ransomware payment;
- signs that a customer is engaged in "chain-hopping," a technique used to convert one type of cryptocurrency into another in order to further obfuscate the source or destination of funds; and
- customers engaging in transactions with cryptocurrency exchanges in high-risk jurisdictions.
Financial institutions should note at onboarding that a customer is a cyber insurance, digital forensics or incident response firm so that transaction monitoring can be appropriately tailored to detect the relevant red flags. As in the sanctions context, financial institutions may consider using a blockchain forensics tool to detect when a wallet address has been linked to ransomware or other malign activity.
While not creating new legal requirements, taken collectively the two advisories contemplate that financial institutions and other companies will design and implement risk-based compliance programs that mitigate the risk of regulatory violations derived from ransomware incidents and payments. They indicate that both OFAC and FinCEN expect a high level of coordination between victims of ransomware attacks and law enforcement. And indeed, the failure to report attacks to law enforcement and to cooperate with law enforcement during and after an attack may increase a company's exposure to OFAC monetary penalties.
Given the serious potential regulatory consequences for paying a ransom and the potentially significant business consequences for not doing so, companies should prepare for ransomware attacks as part of their cybersecurity defense posture to mitigate the impact of any potential attack and to blunt the impact of a vexing dilemma.
WilmerHale has experience advising clients on preparing for and responding to ransomware attacks, including to mitigate the risk of noncompliance with the laws and regulations administered by OFAC and FinCEN. We are available to work with clients on incorporating these latest advisories into their ransomware incident response plans.
1 An OFAC advisory earlier this year focused broadly on the North Korean cyber threat, of which ransomware is an important part.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.