On September 21, 2021, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”) superseding its earlier October 1, 2020 guidance on ransomware attacks and, for the first time, added a virtual currency exchange to the Specially Designated Nationals and Blocked Persons List (“SDN List”).^[1]  In response to the increase in ransomware demands and payments during the COVID-19 pandemic, the U.S. Government has embarked on a “whole of government effort to counter ransomware.”^[2]  The Updated Advisory and SDN designation of SUEX OTC, S.R.O. (“SUEX”) are the Treasury Department’s most recent actions on this front.  They are intended to highlight the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks.^[3]

In the Updated Advisory, OFAC urges companies that engage with victims of ransomware attacks (e.g., cyber insurers, digital forensics and incident response firms, and financial institutions that may process ransom payments) to implement sanctions compliance programs that account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.^[4]  These companies should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (“FinCEN”) regulations, including filing Suspicious Activity Reports (“SARs”) or registering with FinCEN as a money services business (“MSB”).^[5]

The Updated Advisory substantively differs from its predecessor in two ways:

1. First, it explicitly discourages all private companies and citizens from paying ransom or extortion demands.^[6] According to the Updated Advisory, rather than pay a ransom, victims should focus proactively on “strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”^[7]  In this regard, the Updated Advisory expressly recommends the cybersecurity practices highlighted in the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Ransomware Guide.^[8]

2. Second, it underscores mitigating factors that OFAC will consider when determining an enforcement response to an apparent violation of U.S. sanctions laws:

• • the existence, nature, and adequacy of a ransomware victim’s sanctions compliance program;

  • whether the victim of a ransomware attack has followed CISA’s Ransomware Guide for avoiding a cyberattack, e.g., maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols;

  • whether the ransomware victim promptly and voluntarily turned over key information to authorities such as technical details of the attack and the amount of ransom demanded; and

  • whether the ransomware victim demonstrated “full and ongoing cooperation” with law enforcement during and after an attack.

Concurrent with the Updated Advisory, OFAC for the first time designated a virtual currency exchange, SUEX OTC, S.R.O. (“SUEX”), for its part in facilitating financial transactions for ransomware actors.^[9]  SUEX, a currency exchange registered in the Czech Republic, allegedly facilitated transactions involving illicit proceeds from at least eight ransomware variants.^[10]  Per OFAC’s press release, more than forty percent of SUEX’s known transaction history was associated with sanctioned individuals and/or entities.^[11]  As a result of OFAC’s designation, all of SUEX’s property and interests in property that are subject to U.S. jurisdiction are blocked, and any U.S. individual or entity is prohibited from engaging in transactions with or providing services to SUEX.^[12]  Finally, OFAC’s designation also blocks the property and interests in property of entities in which SUEX has a fifty percent or more ownership interest.^[13]

OFAC’s Updated Advisory and its same-day designation of SUEX signals the U.S. Government’s continued focus on:

• disrupting criminal networks and virtual currency exchanges responsible for laundering ransoms;

• discouraging payments to perpetrators;

• encouraging improved cybersecurity across the private sector; and

• increasing incident and ransomware payment reporting to U.S. Government agencies.^[14]

Practical Implications of the Updated Advisory:

• There is no “safe harbor” for ransomware payments. OFAC expects companies to pay attention to a ransomware payment’s destination, adding another important element to an already traumatic event.

• OFAC and FinCEN are pushing companies away from the “pay it and forget it” approach.

• Criminals can exploit the vulnerabilities of even the best cybersecurity program. Having a well-designed and operational ransomware response plan that incorporates the Updated Advisory and CISA’s Ransomware Guide along with “dress rehearsals” for preventing and responding to ransomware events will greatly enhance a company’s ability to weather a ransomware attack.

• Should a ransomware victim ultimately decide to pay a ransom, taking the recommended preventive measures “will be considered a significant mitigating factor in and OFAC enforcement response.”^[15]

^FOOTNOTES

^[1] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept. 21, 2021)

^[2] United States Dep’t of the Treasury, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21, 2021)

^[3] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept. 21, 2021)

^[4] Id at p. 4.

^[5] See FinCEN Guidance, FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, pp. 3, 6 (Oct. 1, 2020), for applicable anti-money laundering obligations related to financial institutions in the ransomware context.

^[6] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, p. 3 (Sept. 21, 2021)

^[7] Id. at p. 1.

^[8] Cybersecurity and Infrastructure Security Agency, Ransomware Guide (Sept. 2020)

^[9] U.S. Dep’t of the Treasury, Office of Foreign Assets Control, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21, 2021)

^[10] Id.

^[11] Id.

^[12] Id.

^[13] Id.

^[14] Id.

^[15] United States Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, pp. 4-5 (Sept. 21, 2021)