August 7, 2022

Volume XII, Number 219


August 05, 2022

Subscribe to Latest Legal News and Analysis

Ransomware Victims Told to Think Twice Before Paying Hackers

On Tuesday, the U.S. Department of Treasury’s Office of Foreign Asset Control (“OFAC”) issued an updated advisory warning all ransomware victims that if they succumb to ransomware demands and pay foreign actors who are subject to U.S. sanctions, the victims could face further financial peril. OFAC articulated that imposing sanctions is an appropriate step, aimed at disrupting the economic infrastructure of the ransomware threat that has surged over the last year and targeted countless corporations and critical infrastructure. While the advisory does not change existing law, it signals increased regulatory enforcement and an intent to put companies on notice that they will have an even more complicated risk analysis to conduct when faced with a ransomware attack. It also underscores the importance of having an updated incident response plan, as well as the need for victims of ransomware attacks to have the correct incident response team in place, prior to any attack, to ensure compliance with the law when responding to an attack of this nature.

Reiterating the federal government’s strong discouragement against paying ransom after a cyber-attack, the latest OFAC advisory also alerts organizations of the steep civil penalties that may come with making ransom payments to a person or group on the Specially Designated Nationals and Blocked Persons List (“SDN List”). According to the guidance, OFAC may impose civil penalties of up to $20 million for sanctions violations based on strict liability, meaning that the victim company may be held civilly liable even if they did not know they were engaging in a transaction that was prohibited under sanctions laws.

Additionally, in a significant change from previous guidance, OFAC now “strongly encourages” all victims of ransomware attacks to report the incidents to CISA and FBI, or the U.S. Secret Service. In doing so, victim companies can receive significant mitigation from OFAC when determining an appropriate enforcement response. While not creating a mandatory ransomware notification rule, OFAC’s latest advisory creates a strong incentive for companies involved in a ransomware attack to notify law enforcement, even when where there is no known sanctions nexus, to take advantage of the enforcement mitigation in the event of an inadvertent violation.

The OFAC advisory also notes that adopting and improving cybersecurity practices will be considered a significant mitigating factor for enforcement purposes. In addition to developing incident response plans, such steps could include maintaining offline backups of data, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others. CISA has recently released a “Cyber Security Evaluation Tool” to assess varying levels of ransomware threat readiness to be helpful to all organizations regardless of their cybersecurity maturity.

While it is not new that the U.S. government strongly discourages ransomware payments, the latest advisory made one major point clear: OFAC is focused on disrupting criminals’ ability to anonymously profit from attacks, and it is willing to at least threaten greater punishments on victims who do not notify law enforcement and who elect to pay ransomware attackers. This recent guidance from OFAC creates even more incentives for private sector companies to implement robust compliance and cybersecurity programs in place to account for the need to identify hackers, and to work closely with federal law enforcement to mitigate the consequences that can flow from a ransomware attack.

© 2022 Bracewell LLPNational Law Review, Volume XI, Number 266

About this Author

Philip Bezanson, white collar criminal defense, securities, attorney, Bracewell
Managing Partner, Seattle

Philip J. Bezanson's practice focuses on white collar criminal defense, internal investigations, securities enforcement and regulatory matters.

Mr. Bezanson is a member of the Bracewell & Giuliani LLP team that has represented corporate and individual clients in recent high-profile and complex cases, including the Deepwater Horizon explosion, the George Washington Bridge lane closure and General Motors ignition switch investigations, "Pay to Play" cases in New York, New Mexico and Illinois, the stock options backdating cases, and a variety...

Seth DuCharme Insurance Lawyer Bracewell LLP

Seth DuCharme draws on his 14 years of experience as a senior-level law enforcement officer to advise companies and individuals on cases involving cybersecurity and breach response, Foreign Corrupt Practices Act (FCPA) diligence and litigation, export controls, sanctions compliance and anti-money laundering.

Seth served in the United States Attorney’s Office for the Eastern District of New York from 2008 through 2021. He held various positions at the Eastern District, including Chief of the Criminal Division, Chief of the National Security & Cybercrime Section, and Acting United...

Brittney Justice Litigation Attorney Bracewell

Brittney Justice represents clients across a range of industries in litigation and government enforcement and investigations in federal and state courts. She provides advice on diverse matters, including securities litigation, complex commercial disputes, environmental claims and government investigations. 

Prior to joining Bracewell, Brittney was a legal intern with Texas’ First Court of Appeals.