OFAC Issues Updated Guidance on Paying Ransom – Buyer Beware of Sanction Risks

On Sept. 21, the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory updating and superseding its previous advisory issued Oct. 1, 2020. OFAC is careful to note that the Advisory is not law, and does not modify statutes, Executive Orders, or regulations. However, the Advisory contains important guidance for entities that may consider paying a ransom or those that facilitate such payments.

Ransomware attacks have increased substantially during the COVID-19 pandemic. Cybercriminals recognize companies’ reliance on distributed networks and have taken advantage of the remote environment to attack organizations across all industries. The Advisory points to reports from the Federal Bureau of Investigation (FBI) identifying a 21% increase in reported ransom cases and a 225% increase in associated losses from 2019-2021. There can be no argument that ransomware attacks are extremely profitable for criminal organizations, and it should be no surprise to anyone that the government wants to discourage these types of payments.

The Advisory does not change requirements related to ransom payments but instead appears to be intended to discourage payments of ransom and attempts to highlight the risk of sanctions associated with such payments. Notably, the Advisory states that companies that facilitate ransomware payment on behalf of victims “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” This Advisory, coupled with the recent Executive Order issued by the White House, may signal an intent by the government to examine ransomware transactions more closely going forward.

OFAC points out that it may impose civil penalties for sanctions violations even if the entity or person “did not know or have reason to know that it was engaging” in a prohibited transaction. Companies are encouraged to implement a “risk-based compliance program to mitigate exposure to sanctions-related violations.” Companies that facilitate ransom payments are specifically encouraged to consider whether a ransom payment involves a Specially Designated National (SDN) or blocked person, or an embargoed jurisdiction. OFAC also notes that it will consider a company’s efforts to improve cybersecurity practices when determining whether a company committed a sanctionable violation, and points to the September 2020 Ransomware Guide issued by the Cybersecurity and Infrastructure Security Agency (CISA). The Guide encourages steps such as maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, and implementing other authentication protocols.

Organizations are also highly encouraged to notify law enforcement and other agencies and cooperate with any investigations. OFAC will consider early notification of law enforcement and other mitigation efforts of organizations in its determination of sanctions and penalties. Factors that are considered when determining an appropriate response are found within OFAC’s economic sanctions enforcement guidelines, at 31 C.F.R. part 501, appx. A.

OFAC highly encourages victims of ransomware to report such attacks to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Such efforts may lead to resolutions that could potentially avoid payment. According to the Advisory, where resolutions that do not involve payment of ransomware exist, companies should consider pursuing such avenues, as payment of ransomware does not guarantee recovery of data or avoidance of future attacks.