Paying Ransomware Demands Could Risk US Sanctions, OFAC Warns
Ransomware has been by far the fastest growing type of cyber threat faced by businesses in recent years.
This already significant threat grew precipitously with the onset of the current coronavirus pandemic and the nation’s transition to remote working arrangements, as cybercriminals seek to exploit the security vulnerabilities that coincide with working from home.
On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance cautioning companies of the potential risk of US sanctions for certain ransomware payments paid to parties designated as malicious cyber actors under OFAC’s cyber-related sanctions program.
Companies across all industries should take notice of the OFAC advisory, which provides clear notice that engaging in or facilitating payments may result in enforcement actions and civil penalties in the event the payee is a sanctioned party – even if the entity is unaware that the cybercriminal is subject to US sanctions.
Payment risks
OFAC has designated numerous malicious actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate transactions.
The agency made it clear that engaging in or facilitating ransomware payments to these actors violates US sanctions and, in turn, may subject the payees to OFAC enforcement actions and monetary penalties.
Significantly, these potential sanctions apply both to US companies and foreign businesses that utilize US commerce for business transactions.
The advisory further cautions that OFAC may impose civil penalties for improper ransomware payments based on strict liability.
This means that a person subject to US jurisdiction may be held civilly liable, even if they were unaware they were engaging in a transaction with a prohibited individual or entity.
The advisory also encourages businesses to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.
From a general perspective, OFAC recommends that compliance programs encompass, at a minimum, the following five elements; commitment from senior management to supporting the program; routine and ongoing risk assessments; internal controls that identify, interdict, escalate, report, and document potentially prohibited activity; testing and auditing to evaluate the effectiveness of internal controls; and employee training.
The OFAC also encourages victims and those involved with addressing ransomware attacks to contact it immediately if they believe a request for a ransomware payment may involve a sanctions nexus.
Victims should also contact the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a US financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.
Takeaways
Cybercriminals will continue to take advantage of security weaknesses to deploy destructive ransomware attacks, especially during the ongoing coronavirus pandemic.
Consequently, now more than ever businesses must consistently and aggressively apply security best practices to their networks to manage and defend against this burgeoning threat. In particular, entities should ensure their compliance programs encompass the OFAC recommendations discussed above.
And while paying a ransomware demand is generally discouraged, in the event an entity considers paying a ransom demand, it must take the risk of potential sanctions into account and conduct the necessary due diligence on the ransomware payee prior to the time any payment is executed.
"Paying Ransomware Demands Could Risk US Sanctions, OFAC Warns," by David J. Oberly was published in The Daily Swig on October 16, 2020.