November 29, 2021

Volume XI, Number 333

Advertisement
Advertisement

OFAC Issues Updated Ransomware Advisory and Designates Virtual Currency Exchange

On September 21, 2021, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”) superseding its earlier October 1, 2020 guidance on ransomware attacks and, for the first time, added a virtual currency exchange to the Specially Designated Nationals and Blocked Persons List (“SDN List”).[1]  In response to the increase in ransomware demands and payments during the COVID-19 pandemic, the U.S. Government has embarked on a “whole of government effort to counter ransomware.”[2]  The Updated Advisory and SDN designation of SUEX OTC, S.R.O. (“SUEX”) are the Treasury Department’s most recent actions on this front.  They are intended to highlight the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks.[3]

In the Updated Advisory, OFAC urges companies that engage with victims of ransomware attacks (e.g., cyber insurers, digital forensics and incident response firms, and financial institutions that may process ransom payments) to implement sanctions compliance programs that account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.[4]  These companies should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (“FinCEN”) regulations, including filing Suspicious Activity Reports (“SARs”) or registering with FinCEN as a money services business (“MSB”).[5]

The Updated Advisory substantively differs from its predecessor in two ways:

  1. First, it explicitly discourages all private companies and citizens from paying ransom or extortion demands.[6] According to the Updated Advisory, rather than pay a ransom, victims should focus proactively on “strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”[7]  In this regard, the Updated Advisory expressly recommends the cybersecurity practices highlighted in the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Ransomware Guide.[8]

  2. Second, it underscores mitigating factors that OFAC will consider when determining an enforcement response to an apparent violation of U.S. sanctions laws:

    • the existence, nature, and adequacy of a ransomware victim’s sanctions compliance program;

    • whether the victim of a ransomware attack has followed CISA’s Ransomware Guide for avoiding a cyberattack, e.g., maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols;

    • whether the ransomware victim promptly and voluntarily turned over key information to authorities such as technical details of the attack and the amount of ransom demanded; and

    • whether the ransomware victim demonstrated “full and ongoing cooperation” with law enforcement during and after an attack.

Concurrent with the Updated Advisory, OFAC for the first time designated a virtual currency exchange, SUEX OTC, S.R.O. (“SUEX”), for its part in facilitating financial transactions for ransomware actors.[9]  SUEX, a currency exchange registered in the Czech Republic, allegedly facilitated transactions involving illicit proceeds from at least eight ransomware variants.[10]  Per OFAC’s press release, more than forty percent of SUEX’s known transaction history was associated with sanctioned individuals and/or entities.[11]  As a result of OFAC’s designation, all of SUEX’s property and interests in property that are subject to U.S. jurisdiction are blocked, and any U.S. individual or entity is prohibited from engaging in transactions with or providing services to SUEX.[12]  Finally, OFAC’s designation also blocks the property and interests in property of entities in which SUEX has a fifty percent or more ownership interest.[13]

OFAC’s Updated Advisory and its same-day designation of SUEX signals the U.S. Government’s continued focus on:

  • disrupting criminal networks and virtual currency exchanges responsible for laundering ransoms;

  • discouraging payments to perpetrators;

  • encouraging improved cybersecurity across the private sector; and

  • increasing incident and ransomware payment reporting to U.S. Government agencies.[14]

Practical Implications of the Updated Advisory:

  • There is no “safe harbor” for ransomware payments. OFAC expects companies to pay attention to a ransomware payment’s destination, adding another important element to an already traumatic event.

  • OFAC and FinCEN are pushing companies away from the “pay it and forget it” approach.

  • Criminals can exploit the vulnerabilities of even the best cybersecurity program. Having a well-designed and operational ransomware response plan that incorporates the Updated Advisory and CISA’s Ransomware Guide along with “dress rehearsals” for preventing and responding to ransomware events will greatly enhance a company’s ability to weather a ransomware attack.

  • Should a ransomware victim ultimately decide to pay a ransom, taking the recommended preventive measures “will be considered a significant mitigating factor in and OFAC enforcement response.”[15]

FOOTNOTES

[1] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept. 21, 2021)

[2] United States Dep’t of the Treasury, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21, 2021)

[3] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept. 21, 2021)

[4] Id at p. 4.

[5] See FinCEN Guidance, FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, pp. 3, 6 (Oct. 1, 2020), for applicable anti-money laundering obligations related to financial institutions in the ransomware context.

[6] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, p. 3 (Sept. 21, 2021)

[7] Id. at p. 1.

[8] Cybersecurity and Infrastructure Security Agency, Ransomware Guide (Sept. 2020)

[9] U.S. Dep’t of the Treasury, Office of Foreign Assets Control, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21, 2021)

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, pp. 4-5 (Sept. 21, 2021)

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 274
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kevin McCart White Collar Attorney Squire Patton Boggs Washington DC
Partner

Corporations and individuals facing allegations of white-collar criminal and civil violations call upon Kevin McCart to provide the effective legal strategies and investigative skills that will help them avoid prosecution and minimize damaging outcomes. Kevin has been lead counsel in criminal and civil matters in federal district and circuit courts, as well as military courts-martial. His global government and internal investigations background includes representing financial institutions, corporations and individuals in economic sanctions, money laundering, bank fraud, the Bank Secrecy...

202-457-6457
Claiborne Clay W. Porter Partner Squire partner Boggs
Partner

Clay Porter’s practice focuses on representing clients, including financial institutions, non-bank financial institutions, cryptocurrency businesses and corporations, in complex white collar criminal defense, regulatory enforcement defense, internal investigations and compliance counseling matters. Clay has particular expertise handling cases involving economic sanctions, the Bank Secrecy Act/anti-money laundering laws and regulations (BSA/AML), sensitive employee issues, fraud and embezzlement, corruption and the Foreign Corrupt Practices Act (FCPA). In addition, Clay is routinely called...

202-457-6511
Sassi Riar, attorney
Attorney

Sassi Riar is an associate in the Dubai office of Squire Patton Boggs. She represents clients in white collar criminal matters, government enforcement actions and internal investigations.

She is experienced in advising numerous different banks and financial institutions in the Middle East with respect to multi-agency inquiries, including conducting internal investigations into alleged OFAC sanctions violations and reporting to OFAC and the DOJ as to the same.

+971-4-447-8734
Advertisement
Advertisement
Advertisement