WBK Industry News - Federal Regulatory Developments

Paying Ransomware Demands Can Create Risk of Violating OFAC Sanctions

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued new guidance regarding how paying ransoms due to ransomware attacks can potentially violate OFAC sanctions.

Ransomware is a type of malicious software which generally blocks access to computer systems and data by encrypting the information so that it is not accessible to the authorized users, and may also involve threats to publicly disclose sensitive or confidential information.  The victims are generally required to make a ransom payment in order to decrypt the files so that they may regain access and avoid public disclosure.  Ransomware attacks have increased significantly over the last few years, and are now often targeted at small- and medium-sized businesses, local government agencies, hospitals, school districts, and other entities which may not have the resources to implement comprehensive cybersecurity.

OFAC administers and enforces the United States’ economic and trade sanction programs, and has imposed sanctions on persons and entities engaged in ransomware attacks.  Payment of ransomware demands to these persons and entities can potentially violate OFAC sanctions.

OFAC recommends that companies and entities who may be targeted or who may be directly or indirectly involved in responding to these attacks (e.g., cyber insurers, digital forensics and incident responders, financial services companies) implement risk-based compliance programs to mitigate exposure to sanctions-related violations.  In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an individual or entity on OFAC’s Specially Designated Nationals and Blocked Persons List, or a comprehensively embargoed jurisdiction. OFAC also recommends immediately reporting ransomware attacks to law enforcement and cooperating fully with law enforcement both during and after a ransomware attack, as these may be mitigating factors is case of a possible violation.