May 23, 2022

Volume XII, Number 143


May 20, 2022

Subscribe to Latest Legal News and Analysis

Ransomware Payments Can Lead to Sanctions and Reporting Obligations for Financial Institutions

With cybercrime on the rise, two U.S. Treasury Department components, the Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”), issued advisories on one of the most insidious forms of cyberattack – ransomware.

Ransomware is a form of malicious software designed to block access to a system or data.  The targets of ransomware attacks are required to pay a ransom to regain access to their information or system, or to prevent the publication of their sensitive information.  Ransomware attackers usually demand payment in the form of convertible virtual currency (“CVC”), which can be more difficult to trace.  Although ransomware attacks were already on the rise (there was a 37% annual increase in reported cases and a 147% increase in associated losses from 2018 to 2019), the COVID19 pandemic has exacerbated the problem, as cyber actors target online systems that U.S. persons rely on to continue conducting business.


The OFAC advisory focuses on the potential sanctions risks for those companies and financial institutions that are involved in ransomware payments to bad actors, including ransomware victims and those acting on their behalf, such as “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.”  OFAC stresses that these payments may violate US sanctions laws or OFAC regulations, and encourage future attacks.

OFAC maintains a consolidated list of sanctioned persons, which includes numerous malicious cyber actors and the digital currency addresses connected to them.[1]  Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.  The advisory states that “OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”

In addition to violating sanctions laws, OFAC warned that ransomware payments with a sanctions nexus threaten national security interests.  These payments enable criminals to profit and advance their illicit aims, including funding activities adverse to U.S. national security and foreign policy objectives.  Ransomware payments also embolden cyber criminals and provide no guarantee that the victim will regain access to their stolen data.

Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.

OFAC encourages financial institutions to implement a risk-based compliance program to mitigate exposure to potential sanctions violations.  Accordingly, these sanctions compliance programs should account for the risk that a ransomware payment may involve a Specially Designated National, blocked person, or embargoed jurisdiction.  OFAC encouraged victims of ransomware attacks to contact law enforcement immediately, and listed the contact information for relevant government agencies.  OFAC wrote that it considers the “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”  OFAC will also consider a company’s cooperation efforts both during and after the ransomware attack when evaluating a possible outcome.

Such cooperation may also be a “significant mitigating factor” in determining whether and to what extent enforcement is necessary.


FinCEN’s advisory also encourages entities that process payments potentially related to ransomware to report to and cooperate with law enforcement.  The FinCEN advisory arms these institutions with information about the role of financial intermediaries in payments, ransomware trends and typologies, related financial red flags, and effective reporting and information sharing related to ransomware attacks.

According to FinCEN, ransomware attacks are growing in size, scope, and sophistication.  The attacks have increasingly targeted larger enterprises for bigger payouts, and cybercriminals are sharing resources to increase the effectiveness of their attacks.  The demand for payment in anonymity-enhanced cryptocurrencies has also been on the rise.

FinCEN touted “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency” as the best ransomware defense.  The advisory lists numerous red flags designed to assist financial institutions in detecting, preventing, and ultimately reporting suspicious transactions associated with ransomware payments.  These red flags include, among others: (1) IT activity that shows the existence of ransomware software, including system log files, network traffic, and file information; (2) a customer’s CVC address that appears on open sources or is linked to past ransomware attacks; (3) transactions that occur between a high-risk organization and digital forensics and incident response companies or cyber insurance companies; and (4) customers that request payment in CVC, but show limited knowledge about the form of currency.

Finally, FinCEN reminded financial institutions about their obligations under the Bank Secrecy Act to report suspicious activity, including ransomware payments.  A financial institution is required to file a suspicious activity report (“SAR”) with FinCEN if it knows, suspects, or has reason to suspect that the attempted or completed transaction involves $5,000 or more derived from illegal activity.  “Reportable activity can involve transactions . . . related to criminal activity like extortion and unauthorized electronic intrusions,” the advisory says.  Given this, suspected ransomware payments and attempted payments should be reported to FinCEN in SARs.  The advisory provides information on how financial institutions and others should report and share the details related to ransomware attacks to increase the utility and effectiveness of the SARs.  For example, those filing ransomware-related SARs should provide all pertinent available information.  In keeping with FinCEN’s previous guidance on SAR filings relating to cyber-enabled crime, FinCEN expects SARs to include detailed cyber indicators.  Information, including “relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications,” will assist FinCEN in protecting the U.S. financial system from ransomware threats.


© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 281

About this Author

Kevin McCart White Collar Attorney Squire Patton Boggs Washington DC

Corporations and individuals facing allegations of white-collar criminal and civil violations call upon Kevin McCart to provide the effective legal strategies and investigative skills that will help them avoid prosecution and minimize damaging outcomes. Kevin has been lead counsel in criminal and civil matters in federal district and circuit courts, as well as military courts-martial. His global government and internal investigations background includes representing financial institutions, corporations and individuals in economic sanctions, money laundering, bank fraud, the Bank Secrecy...

Claiborne Clay W. Porter Partner Squire partner Boggs

Clay Porter’s practice focuses on representing clients, including financial institutions, non-bank financial institutions, cryptocurrency businesses and corporations, in complex white collar criminal defense, regulatory enforcement defense, internal investigations and compliance counseling matters. Clay has particular expertise handling cases involving economic sanctions, the Bank Secrecy Act/anti-money laundering laws and regulations (BSA/AML), sensitive employee issues, fraud and embezzlement, corruption and the Foreign Corrupt Practices Act (FCPA). In addition, Clay is routinely called...

Elizabeth Weil Shaw attorney Squire Patton Boggs

Elizabeth Weil Shaw assists clients primarily with government enforcement actions and inquiries, as well as internal investigations and compliance reviews. Liz has analyzed matters involving investigations by the US Securities and Exchange Commission, Department of Justice and State Attorneys General. She is a contributor to the firm's Anticorruption Blog.