On Thursday, October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory highlighting potential sanctions risks associated with ransomware payments related to malicious cyber-enabled activities (the “Advisory”). The Advisory appears to be directed at both companies victimized by ransomware and firms that facilitate payments to ransomware extortionists (including financial institutions, cyber insurers, and companies involved in digital forensics and incident response). The Advisory cautions victims of ransomware attacks and ransomware-related services providers to consider the risk of civil sanctions liability when deciding on a course of action.
The primary takeaway from OFAC’s Advisory is that ransomware payments to sanctioned parties or jurisdictions, where the transaction involves a U.S. jurisdictional nexus, carry OFAC sanctions risk and expose both the paying victim, as well as third parties that facilitate the payment, to civil liability. Notably, the Advisory emphasizes the strict liability nature of the sanctions regulations.
The Advisory outlines OFAC’s policy view that “[f]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims” and that payments to sanctioned persons “embolden cyber actors to engage in future attacks” and “could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” In keeping with that view, the Advisory notes OFAC’s policy that applications for licenses for cyberattack-related ransomware payments to sanctioned actors will be reviewed by OFAC on a case-by-case basis, but will start with a presumption of denial.
OFAC’s Advisory comes at a time when financial losses associated with ransomware attacks are trending upward. According to the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Reports, reported ransomware cases rose 37 percent and associated losses rose 147 percent from 2018 to 2019. That trend continued into 2020, according to OFAC’s Advisory, which noted that “[d]emand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business.” Given the current work-from-home environment ushered in by the pandemic, ransomware attacks are likely to continue to become more prevalent.
Sanctions practitioners have often speculated how OFAC would handle such situations, with some fearing that OFAC would take a hard line to discourage ransomware payments. The Advisory confirms these fears with respect to OFAC’s licensing and enforcement posture. In particular, although OFAC no doubt recognizes the incredibly difficult circumstances facing ransomware victims, the Advisory makes clear that exigent circumstances do not relieve victims of their sanctions compliance obligations, as OFAC sanctions are strict liability. Ransomware victims are left in an unenviable situation – suffer dire business consequences as a result of the attack, or make a ransomware payment under potential OFAC sanctions exposure. Although the Advisory seems to condemn any ransom payments, it will be telling to see whether OFAC brings any enforcement actions against victims of such attacks, which face the very real prospect of going out of business if they do not pay. More likely, as long as the victim follows the guidance, OFAC will consider enforcement actions against payment facilitators and related services providers who may be involved in dozens if not hundreds of payments to the same group.
Raymond Rif, a Legislative and Policy Specialist in the Morrison & Foerster LLP National Security practice, contributed to this alert.
 In a separate, but related advisory also released on October 1, 2020, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) alerted companies of the potential money laundering risks associated with processing ransomware payments, and encouraged financial institutions to file a suspicious activity report (“SAR”) with “all pertinent available information on the event and associated with the suspicious activity, including cyber-related information and technical indicators.”