On October 1, 2020, the US Department of the Treasury's Office of Foreign Assets Control ("OFAC") issued an advisory opinion1 on the sanctions risks associated with certain cyberattacks ("OFAC Guidance"). The OFAC Guidance focuses on a specific type of cyberattack known as ransomware. These attacks are increasingly used to extract ransom payments from companies whose systems have been targeted by "ransomware" and crippled during the current COVID-19 pandemic. In particular, the OFAC Guidance details the potential sanctions risks associated with making or facilitating ransomware payments on behalf of the victims of the ransomware attacks where payment involves a sanctioned person or comprehensively sanctioned jurisdiction. OFAC's Guidance is broadly targeted and the intended audience includes not only financial institutions, but also the victims of ransomware attacks, as well as any other third party that may be involved in facilitating a ransomware payment
The OFAC Guidance provides insight on OFAC's sanctions concerns relating to ransomware payments and enforcement considerations, and provides advice for companies on responding to ransom requests in compliance with US sanctions. Notably, the OFAC Guidance clarifies that it is limited to addressing sanctions risks related to ransomware and does not address issues more broadly related to information security and cyber threat intelligence gathering efforts, or to OFAC's other cyber-related sanctions programs.
Background on Ransomware
Over the past few years, ransomware attacks have moved to the top of the list of attack mechanisms utilized by malicious actors to extract funds from organizations. At its core, ransomware is a computer virus planted or downloaded on an entity's network that disables computers and encrypts systems and files so that the affected company cannot view or access those files. The software then demands a ransom, usually via a pop-up box, from the affected entity in exchange for a decryption key utilized to restore computers and decrypt impacted files. Victims of ransomware attacks also increasingly face secondary extortion schemes, where attackers threaten to publish or sell data stolen from the victims' systems. These ransom demands usually utilize Bitcoin or other electronic payment mechanism to effect ransom transfers.
There are many variants of ransomware, with some variants gaining more notoriety than others. One example is the WannaCry ransomware that wreaked havoc on company systems across the globe in 2017. The WannaCry ransomware attack infected nearly 300,000 computers in 150 countries impacting information and operational technology systems in the health care, telecommunications and utility sectors. This crippled the operations of many companies by rendering them unable to use their computers and phone systems, and by causing enterprise technology system failures. Employees who logged into infected computers were greeted with a ransom message demanding $300 worth of Bitcoin. In 2019, OFAC announced sanctions against three North Korean state-sponsored malicious cyber groups for their role in these attacks.
Occasional, minor interruptions to operations are generally tolerable and manageable, but interruptions caused by ransomware can be crippling and demand an immediate response to get operations back online. Organizations could otherwise suffer significant and potentially fatal business losses. In the absence of adequate backup and disaster recovery mechanisms, businesses have little choice but to pay a ransom in the hope of resuming operations.
OFAC Guidance
The OFAC Guidance recognizes the threat posed by ransomware attacks, noting that "ransomware attacks have become more focused, sophisticated, costly, and numerous." OFAC cites statistics gathered by the Federal Bureau of Investigation Internet Crime Reports showing a 37% increase in reported ransomware cases and 147% increase in associated losses from 2018 to 2019. Given the impact to business operations, increases in ransomware attacks have naturally led to an increase in ransom payments. These payments implicate a number of entities. Although the victim generally pays the ransom, other entities, such as financial institutions, cyber insurance firms, and cybersecurity companies generally facilitate the payments on the victim's behalf. The OFAC Guidance warns that the entities facilitating ransomware payments may also risk violating OFAC regulations, if such transactions have a sanctions nexus, such as involvement of a sanctioned party or property.
According to the OFAC Guidance, OFAC has designated numerous malicious actors to its Specially Designated Nationals and Blocked Persons List ("SDN List") pursuant to its sanctions programs, including the perpetrators and facilitators of ransomware attacks, such as the North Korean hacking groups described above. In some cases, OFAC includes such actors' digital currency addresses in their SDN List. OFAC has indicated an intention to continue imposing sanctions on those who "materially assist, sponsor, or provide financial, material or technological support for these activities." Ransom payments made to the perpetrators of ransomware attacks are of concern to OFAC as they may enable sanctioned criminal entities and adversaries, or entities with a nexus to the sanctioned entity, to obtain funds to support their illegal activities. The OFAC Guidance expresses concerns that such activities could undermine the national security and foreign policy objectives of the United States.
OFAC maintains various prohibitions and authorities which are potentially implicated by ransom payments to malicious actors on the SDN List or that otherwise have a sanctions nexus, such as involving a sanctioned financial institution or actors related to a comprehensively sanctioned country or region:
- Generally, US laws prohibit US persons2 from engaging in any transactions, directly or indirectly, with individuals or entities ("Persons") on OFAC's SDN List, other blocked persons, and comprehensively sanctioned countries or regions (i.e., currently, Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). This includes facilitating actions that the US person could not engage in themselves;
- Furthermore, both US persons and non-US persons may face enforcement risk if they cause a sanctions violation – for example, a non-US person engaging in a transaction that would violate US sanctions laws and regulations and that has a US nexus (e.g., involvement of US Persons or use of US dollars cleared through US financial institutions); and
- Non-US Persons may also face risk of imposition of sanctions on themselves even without any US nexus by engaging in certain "sanctionable" activities as set forth principally in Executive Orders or specific statutes, such as the Iran Sanctions Act or the Countering America's Adversaries Through Sanctions Act. Many executive orders authorize OFAC to designate any person to the SDN List if OFAC determines the person has materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of any person blocked pursuant to the executive order.
- Additionally, US sanctions laws and regulations prohibit sanctions evasion, as well as attempts to evade, avoid, or violate sanctions.
The OFAC Guidance notes that strict liability may be imposed for a violation of sanctions laws and regulations, such that a person may be subject to civil liability even where it was unaware, or did not have reason to know, it was engaging in a prohibited transaction. OFAC has issued guidelines for sanctions enforcement actions that, among other things, take into account the existence, nature and adequacy of any sanctions compliance program. In particular, the OFAC Guidance emphasizes that the sanctions compliance programs of the companies facilitating ransomware payments "should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction." As significant mitigating factors in OFAC's evaluation of a possible enforcement outcome, these sanctions enforcement guidelines also place importance on a company's "self-initiated, timely, and complete" report to law enforcement regarding a ransomware attack and full and timely cooperation in any investigation. Ultimately, the OFAC Guidance urges entities "to implement a risk-based compliance program to mitigate exposure to sanctions-related violations" and to keep an open line of communication with OFAC where a company suspects that its response to a ransom request may involve a sanctioned person.
Potential Impact of OFAC Guidance
The OFAC Guidance is consistent with the rising importance of cybersecurity to regulators in the United States. Demonstrative of this, and in addition to OFAC's Guidance, the US Department of Justice also recently issued a comprehensive Cryptocurrency Enforcement Framework, which among other points, highlights ransomware and cryptocurrency's sanctions risks.
In line with the OFAC Guidance, US sanctions enforcement actions against facilitation of ransomware payments involving sanctioned persons may increase. Many of the parties involved in any potential ransomware payment may create a sanctions risk. It could be the attackers who may be sanctioned individuals, be linked to a sanctioned country or region, or be acting on behalf of a sanctioned person, including sanctioned governments. It could be the financial institutions, who accept payment on behalf of the attackers. If the funds will be used for "sanctionable" activities, such as terrorism or funding election interference, this may also create a sanctions risk.
However, one hurdle in determining whether a ransomware payment poses a sanctions issue is establishing attribution for the ransomware attack in question. Attribution involves determining the malicious actor(s) responsible for a cyberattack. It is not uncommon for an investigation of a cyberattack to conclude without any determination as to who is responsible for the attack. Without attribution, a regulator, such as OFAC would be unable to determine who is responsible for an attack and therefore whether payment of a ransom would violate any particular sanctions program.
Nonetheless, the risk of sanctions enforcement where an entity pays, or facilitates payment of, a ransom to restore operations should compel organizations to implement appropriate cybersecurity and compliance risk management mechanisms and policies. For example, in conjunction with implementing risk-based sanctions compliance programs, organizations should invest in measures designed to prevent network intrusions, such as endpoint detection and email filtering, and implement training so that employees are able to recognize malicious emails and activity. Policies providing a framework for identifying and responding to cybersecurity incidents quickly and efficiently—including appropriate law enforcement and government agency outreach—can ensure that attackers do not gain a foothold and can increase the odds of determining attribution. In addition, ensuring that critical data and infrastructure are subject to periodic back up processes will enable an organization to withstand a ransomware attack and continue with business operations, while rendering ransom requests futile.
Ultimately, consistent with the OFAC Guidance, organizations that are subject to a ransomware attack, and that facilitate ransomware payments on behalf of victims, should mitigate the impact of such an attack by reporting the incidents to the relevant government agencies, potentially including the FBI, who may assist with determining attribution. OFAC additionally encourages victims and those involved in addressing ransomwareattacks to contact OFAC as well, if they believe a ransom may involve a sanctions nexus, as OFAC views such reporting as a significant mitigating factor in determining an appropriate enforcement approach.
1 The OFAC Guidance is explanatory only and does not have the force of law nor establish new sanctions, nor modify existing sanctions laws and regulations.
2 US persons include US citizens, US permanent resident aliens (e.g., green card holders), entities organized under the laws of the United States or any jurisdiction within the United States (including foreign branches of such entities), and any other person located in the United States. Under some sanctions programs, currently Cuba and Iran, non-US entities owned or controlled by US persons also are considered "persons subject to US jurisdiction."
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020White & Case LLP