On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here.  The memo comes on the heels of increased  regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.

The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment.  The memo notes:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).

The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied].

Though the payment of a ransomware demand is strongly discouraged by the U.S. Government, we note that the payment of a ransom is not illegal in and of itself.  However, if the payment is made to a sanctioned party, OFAC may impose civil penalties for sanctions violations based upon a strict liability standard.  When determining the appropriate penalty, the OFAC memo notes that “under OFAC’s enforcement guidelines, the existence, nature and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response to an apparent violation of the US Sanctions laws or regulations.”  The OFAC memo notes here:

As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.

OFAC also stresses the need for cooperation with the government when it comes to dealing with the potential effects of a ransomware attacks and will consider such cooperation as a potentially mitigating factor for an OFAC violation:

OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Victims should also report ransomware attacks and payments to Treasury’s OCCIP and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment. As noted, in doing so victims can receive significant mitigation from OFAC when determining an appropriate enforcement response in the event a sanctions nexus is found in connection with a ransomware payment.

Finally, OFAC refers to the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide (CISA memo) which outlines steps that can be taken to reduce the risk of extortion by a sanctioned actor though adopting or improving cybersecurity practices.

Such steps could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.

Conclusion

As we often are in the position of responding to ransomware attacks commenced against clients, we certainly take to heart the strong statements made in the OFAC memo regarding facilitating ransomware payments.  Ransomware has been plaguing corporate America for years now and such attacks have been on the rise rather than the decline. Though the substance of the OFAC memo is not entirely new, its tone is clearly that of “we mean business.”

Perhaps the most important part of the OFAC memo for public and private companies is its reference to the CISA memo’s list of ransomware prevention best practices.  We think the CISA memo is required reading for companies, and its reference to offline data backups is a very important piece of advice.  Offline backups can be the life and death of companies hit with ransomware demands.  They should be strongly encouraged for any company. Here is the reference in the CISA memo.

It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.

  • Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
  • Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred.