The U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) published an advisory regarding the risks entailed in facilitating ransomware payments related to malicious cyber-enabled activities. The advisory explains that companies that facilitate ransomware payments to cyber actors on behalf of victims, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
The OFAC explains that under the International Emergency Economic Powers Act (IEEPA), U.S. persons are prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). Additionally, any transaction that causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. Violation of the sanctions regime may give rise to civil penalties imposable by the OFAC as a strict liability offense, even if the person or entity involved did not know or had reason to know it was engaging in a transaction with a person that is prohibited under the SDN List.
The OFAC recommends that financial institutions and organizations that engage with victims of ransomware attacks apply a risk-based compliance program to mitigate exposure to sanctions-related violations. The OFAC states that in the event of a violation, the OFAC may consider mitigating factors in determining the violating organization’s liability, such as the organization’s self-initiated, timely, and complete report of a ransomware attack to law enforcement as well as the organization’s cooperation with law enforcement.
The OFAC also mentions that victims and those involved with addressing ransomware attacks may contact the OFAC and request a license to pay or facilitate the payment demand. However, such applications will be reviewed on a case-by-case basis with a presumption of denial.
CLICK HERE to read the OFAC’s advisory.