Ride the Lightning

OFAC Issues New Guidelines on Ransomware Payment Sanctions

October 5, 2021

Law Firm Clark Hill published a post on September 28 reporting that the Treasury’s Office of Foreign Assets Control (OFAC) has issued, on September 21,  a new advisory updating and superseding its previous advisory issued October 1, 2020. OFAC notes that the Advisory is not law, and does not modify statutes, Executive Orders, or regulations. However, the Advisory contains important guidance for entities that may deliberate about paying a ransom or those that facilitate such payments.

OFAC points out that it may impose civil penalties for sanctions violations even if the entity or person “did not know or have reason to know that it was engaging” in a prohibited transaction. Companies are encouraged to implement a “risk-based compliance program to mitigate exposure to sanctions-related violations.” Companies that facilitate ransom payments are specifically encouraged to consider whether a ransom payment involves a Specially Designated National (SDN) or blocked person, or an embargoed jurisdiction.

OFAC notes that it will consider a company’s efforts to improve cybersecurity practices when determining whether a company committed a sanctionable violation, and points to the September 2020 Ransomware Guide issued by the Cybersecurity and Infrastructure Security Agency (CISA). The Guide encourages steps such as maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, and implementing other authentication protocols.

The Advisory cites reports from the Federal Bureau of Investigation (FBI) identifying a 21% increase in reported ransom cases and a 225% increase in associated losses from 2019-2021. Ransomware is a highly profitable business and it is no wonder that the government wants to discourage ransomware payments. 

Organizations are highly encouraged to notify law enforcement and other agencies and cooperate with any investigations. OFAC will consider early notification of law enforcement and other mitigation efforts of organizations in its determination of sanctions and penalties. Factors that are considered when determining an appropriate response are found within OFAC’s economic sanctions enforcement guidelines, at 31 C.F.R. part 501, appx. A.

OFAC strongly advices victims of ransomware to report the attacks to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as they can. This may lead to resolutions that could potentially avoid payment. According to the Advisory, where resolutions that do not involve payment of ransomware exist, companies should consider those resolutions, as payment of ransomware does not guarantee recovery of data or avoidance of future attacks.

That last part is certainly true. There is no honor among thieves. You may not recover your data, you may find that the data has been leaked or sold, or you may face a ransom for a decryption key AND a second ransom for destroying your data – even if you pay that second ransom, you have no assurance that your data has been destroyed or that the criminals have not shared your data with others.

HT to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson