Skip to main content
Top Button
Ransomware – US Government Sanctions Cryptocurrency Exchange and Clarifies Stance on OFAC Risk Ransomware – US Government Sanctions Cryptocurrency Exchange and Clarifies Stance on OFAC Risk

Ransomware – US Government Sanctions Cryptocurrency Exchange and Clarifies Stance on OFAC Risk

The Office of Foreign Assets Control (OFAC) today updated its guidance on ransomware payments and imposed sanctions on a cryptocurrency exchange (SUEX) for facilitating ransomware payments, a step in what the US Government has termed a broad campaign to counter organized cybercriminal groups.  This follows OFAC sanctions against several ransomware groups including Evil Corp. 

In today’s “Updated Advisory on Potential Risks for Facilitating Ransomware Payments,” OFAC has provided more useful context for those facing a ransomware attack that may require making a payment because other steps to recover are not likely to be effective.  Following up on its advisory of October 2020, OFAC today noted two mitigation considerations that it will take into account in the event that a ransomware payment involves a cybercriminal that is subject to OFAC sanctions or is operating in a country subject to a broader OFAC embargo, such as Iran. 

The first mitigation consideration that OFAC will focus on is the extent to which the victim of the attack – or incident responders, legal counsel and forensic advisors helping with the recovery, communicate with law enforcement to share details of the attack, payments and other information relevant to any investigation. Many victims have opened lines of communications with law enforcement, especially since OFAC initially recommended this step last year. However, we understand from our contacts in law enforcement and OFAC that there is a sense that many victims are not doing so. Communicating with law enforcement is also, in our experience, what OFAC informally recommends to any victim that approaches the government for advice on whether to proceed with a payment. Law enforcement cooperation has another benefit in that it may help a company to identify that a cybercriminal – the groups for obvious reasons try to obfuscate their origin and location – is in fact sanctioned.

The second and very positive development is that OFAC will also take into account whether the victim, before the attack, took steps to reduce any vulnerabilities and risks of cyber-attacks. By encouraging companies to implement cybersecurity programs and technical measures to prevent being victimized, the government is taking a more reasonable approach to a difficult issue that has confronted victims that have been hit hard by a ransomware attack that was able to bypass even decent security, a not uncommon situation. This kind of positive reinforcement adds yet another reason for companies to implement or review existing cybersecurity programs – particularly those aspects that involve preventing ransomware. OFAC has now made it clearer that companies that take cybersecurity seriously will be able to point to their cybersecurity program (and spending) – hopefully documented and industry standard – as a mitigating factor in the event that they unintentionally pay a ransom to a sanctioned party. As OFAC reminds us in the advisory, it has the regulatory power to impose significant civil penalties on companies that make such a payment even if they were unaware at the time that the cybercriminal was sanctioned or was operating out of a sanctioned country such as Iran or North Korea. At a more basic level, preventing a cyberattack – or detecting one early before it causes significant damage – should be the priority for all and requires a focus on people, process and policies, usually starting with a solid risk assessment and understanding of the threats you face.

If you have questions about how to mitigate ransomware risks, how to prepare internally for dealing with an incident response, please contact Guillermo Christensen, Office Managing Partner for Washington, D.C. Guillermo has handled cyber-incidents including ransomware events and regularly deals with OFAC and other U.S. government agencies. As a former CIA intelligence officer and a diplomat with the Department of State, Guillermo has a broad perspective on the inner workings of the national security interagency process that deals with issues such as U.S. sanctions/OFAC, CFIUS and export controls. Guillermo has represented clients in both civil and criminal OFAC enforcement actions and has implemented OFAC compliance programs for U.S. and non-U.S. entities.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

View Full Site View Mobile Optimized