November 26, 2020

Volume X, Number 331

Advertisement

November 25, 2020

Subscribe to Latest Legal News and Analysis

November 24, 2020

Subscribe to Latest Legal News and Analysis

November 23, 2020

Subscribe to Latest Legal News and Analysis

U.S. Department of the Treasury Issues Advisory Warning that Ransomware Payments May Violate OFAC Sanctions

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory alerting companies of potential sanctions risks related to facilitating ransomware payments.  The five-page advisory states that ransomware victims who pay ransom amounts, and third-party companies that negotiate or pay ransom on their behalf, “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

In the advisory, OFAC wrote that “[r]ansomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States” and took the position that ransomware payments may encourage future attacks. Given the risk that a ransomware payment might include a person or jurisdiction on the OFAC sanctions list, the advisory states that there is a risk that a ransomware payment could violate applicable OFAC sanctions. The advisory also encourages ransomware victims and third parties involved in addressing ransomware attacks to contact OFAC if they believe a request for a ransomware payment would implicate sanctions considerations. Contact information for relevant U.S. government agencies is included at the end of the advisory. OFAC added that it will consider a ransomware victim’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

OFAC notes that ransomware attacks have become increasingly more “focused, sophisticated, costly, and numerous” in recent years, and that ransomware attacks may attack organizations of any size in both the public and private sectors. OFAC has designated “numerous malicious cyber actors” under its sanctions and cyber-related programs, including the developers of well-known ransomware strains such as Cryptolocker, SamSam and WannaCry. The advisory notes that OFAC has imposed (and will continue to impose) sanctions on these actors and others who materially assist, sponsor or provide financial, material or technological support for the ransomware activities.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 276
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement