March 2, 2021

Volume XI, Number 61


March 01, 2021

Subscribe to Latest Legal News and Analysis

Ransomware Payments May Violate Sanctions Laws, U.S. Treasury Department Warns

On October 1, 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to companies that pay a ransom in the wake of a cyberattack. Specifically, the advisory warned that ransomware attack victims and third-parties who assist these victims could be in violation of federal law if they pay or facilitate the payment of a ransom to a sanctioned individual or entity — intentionally or otherwise. In light of dramatic increases in both the frequency and severity of ransomware attacks during the COVID-19 pandemic, companies should closely review the OFAC advisory and ensure that they take appropriate steps to avoid violating the U.S. sanctions laws if they are victimized by a ransomware attack.

Under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), among other laws, executive orders, and regulations, U.S. persons generally are prohibited from engaging in transactions — directly or indirectly — with individuals or entities “designated” on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), as well as persons or entities covered by comprehensive country embargoes (e.g., Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine). These sanctions also apply to entities owned 50% or more by persons on the SDN List.

Pursuant to various sanctions programs, OFAC previously placed numerous malicious cyber actors on the SDN List. These designated actors include perpetrators and facilitators of ransomware attacks. For example, in September 2019, OFAC designated the Lazarus Group, a cybercriminal organization sponsored by North Korea, after the group launched the May 2017 ransomware attack known as WannaCry 2.0. And in December 2019, OFAC designated the Russia-based Evil Corp and its leader, Maksim Yakubets, for their development and distribution of the Dridex malware.

Individuals and entities who willfully initiate or facilitate a financial transaction with a SDN or a comprehensively embargoed jurisdiction may face significant criminal penalties, including up to 20 years in prison for individuals and fines of up to $1 million. As noted above, the OFAC advisory conspicuously notes that civil penalties may be imposed for sanctions violations even if the parties who initiate or facilitate the transaction did not know or have reason to know that they were engaging in a prohibited transaction — in other words, based on strict liability.

The OFAC advisory encourages ransomware victims to self-report attacks and ransom payments to law enforcement. In determining the “appropriate enforcement outcome” for a ransomware payment made to a sanctioned individual or entity, OFAC will consider the victim’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” and “[f]ull and timely cooperation with law enforcement” as significant mitigating factors. The advisory further “encourages” companies to install an appropriately-tailored, risk-based compliance program that mitigates the risk that a ransomware payment will have to be made and, if made, the consequence of making payment to a SDN or comprehensively embargoed jurisdiction.

In conjunction with OFAC’s advisory, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a separate advisory to companies that facilitate ransomware payments, instructing them to consider filing a Suspicious Activity Report (SAR) when dealing with a ransomware demand.

These new advisories are certain to influence how victims and third-party advisers respond to ransomware attacks. While attacks had grown in frequency and severity prior to COVID-19, ransomware activity has dramatically increased during the pandemic, particularly for U.S.-based victims. In the past, many victims elected to pay ransoms in order to quickly regain access to their data and resume normal business operations. However, the new guidance from OFAC and FinCEN will force victims and their advisers to seriously consider the risk that a ransom payment might violate U.S. sanctions laws and result in significant criminal or civil liability. Ultimately, the decision about whether to pay a ransom will involve balancing many factors, including the significance of the affected data and the relative risk that the attacker is a sanctioned individual or entity.

To minimize the risk of violating U.S. sanctions laws in connection with responding to a ransomware attack, companies should consider these action items:

  • Update and Secure Backups — The only way to ensure a ransom payment is not made to a sanctioned individual or entity is to not pay a ransom at all. The best way to avoid paying a ransom is to ensure that your business has data backups that are both up-to-date and secure. To ensure adequate security, businesses should maintain their backups separately from networks — either offline or through a separate cloud-based service. Businesses also should consider using other safety measures, like multi-factor authentication and separate administrative credentials. Companies should also regularly test their backups and record the time it takes to restore vital systems.

  • Perform Due Diligence — Before initiating a ransom payment, the victim and any third-party advisers should conduct reasonable due diligence on the malicious actors. This due diligence should be completely and accurately documented. Reasonable due diligence should include a search of OFAC’s SDN List — which now includes crypto wallet addresses for designated individuals and entities. Efforts also should be made to determine whether the attackers are affiliated or associated with a comprehensively embargoed jurisdiction — for example, by researching malware variants and email domain(s) associated with the malicious actors to determine if they are associated with embargoed countries.

  • Notify and Cooperate with Law Enforcement — Whenever making a ransomware payment, victims and their advisers should consider alerting the Federal Bureau of Investigation (FBI) — through either the FBI’s Internet Crime Complaint Center or the local FBI field office. Victims should be prepared to provide law enforcement with an overview of the attack, any identifying information about the attackers and their crypto-currency accounts, and information about the ransom demand itself. If a ransom payment is ultimately determined to have been paid to a sanctioned individual or entity, voluntary disclosure to law enforcement and OFAC should be evaluated and strongly considered. OFAC will view the victim’s prior cooperation with law enforcement to be a significant mitigating factor.

  • Institute an Appropriate Risk-Based Compliance Program — The OFAC advisory encourages companies to customize their compliance and security programs based on their unique business risk profile. OFAC has previously issued a framework for compliance that “strongly encourage[d]” companies to incorporate five “essential components” of compliance: management commitment, risk assessment, internal controls, testing and auditing, and training. Companies should assess and update their risk-based compliance program regularly to ensure that they can respond to pernicious and ever-evolving ransomware threats.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 280



About this Author

Peter Baldwin, Securities lawyer, Drinker Biddle

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147
M. Angella Castille Corporate Lawyer Faegre Drinker Law Firm

Angie Castille serves as a seasoned international general counsel, partnering with companies to plan and implement their international growth, transactions and trade. For those doing business in emerging markets, she guides them through the maze of managing risk, resolving challenges and operating ethically in those jurisdictions. Angie co-chairs Faegre Drinker's firmwide international team, a cross-disciplinary group of lawyers and consultants who advise clients on international legal and regulatory issues.

International Transactions Experience

Angie counsels public and...

+1 202 589 2849
Kenneth Dort, Drinker Biddle Law Firm, Intellectual Property and Data Security Attorney, Chicago

Kenneth K. Dort counsels clients on information technology and intellectual property law issues—specifically, software development and licensing, systems development and integration, data security and privacy, trade secret protection and patent/copyright/trademark licensing and protection. He is chair of the firm’s Technology Committee.

Ken is CIPP/US, CIPP/E and CIPP/C certified and advises clients throughout the United States, the European Union and Canada on their data security and privacy practices and compliance needs...

Paul Luehr Cybersecurity Lawyer Faegre Drinker

Paul Luehr partners with clients to optimize their privacy and cybersecurity practices, from risk management to incident response. As the leader of the firm's privacy and cybersecurity team, Paul understands that cybersecurity crises can be profoundly costly, and they can strike organizations across a wide range of industries. Drawing from 25 years on the cutting edge of data privacy and cybersecurity — including experience investigating and prosecuting cybercrimes with the Federal Trade Commission (FTC) and the Department of Justice (DOJ) — Paul helps clients avoid becoming a cautionary...

612 766 7195
Adam W. Smith Corporate Attorney Faegre Drinker Biddle & Reath Minneapolis, MN

Adam Smith helps clients sleep soundly by managing their corporate matters, including governance, transactions and cybersecurity. He integrates a background in law, policy and incident response to help clients plan for business success.

Adam gained legal experience as a summer associate at Faegre Baker Daniels and Jones Day, where he drafted memoranda on Blue Sky laws, contributed to due diligence reports for initial public offerings and supported white collar and antitrust investigation work. Adam also served as a legal extern analyzing environmental and international sovereignty...