On 21 September 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory1 that highlights the sanctions risks associated with making ransomware payments. OFAC reiterated that it strongly discourages companies from making or facilitating ransomware payments, which it believes encourages future attacks and may also violate U.S. sanctions. The updated guidance instead seeks to incentivize companies to adopt or improve preventive measures such as cybersecurity controls and to cooperate closely with the U.S. government in case of an attack.
On the same day, OFAC also announced its first designation of a cryptocurrency exchange that facilitated ransomware payments and other illicit transactions.2 The exchange, SUEX OTC, S.R.O. (SUEX), is incorporated in Czechia, but based in Russia, and is a “nested” exchange that uses the payment systems of larger cryptocurrency exchanges to facilitate illicit payments. OFAC designated SUEX pursuant to Executive Order 13694 for providing material support to criminal ransomware actors.3 In its announcement of the designation, OFAC emphasized the critical role that virtual currency exchanges play in the ransomware ecosystem because “virtual currency is the principal means of facilitating ransomware payments and associated money laundering activities.”
- Treasury’s analysis of known SUEX payments indicated that more than 40 percent of its known transaction history was associated with illicit actors, and it has processed transactions associated with the perpetrators of at least eight known ransomware variants.
- The U.S. Department of the Treasury has indicated that it intends to continue to target virtual currency exchanges facilitating illicit transactions, underscoring the importance of robust customer due diligence and know your customer (CDD/KYC) processes at the larger cryptocurrency exchanges that smaller exchanges use to access crypto-to-fiat on- and off-ramps and a broad spectrum of virtual assets.
- The need for strong CDD/KYC is particularly acute when evaluating potential relationships with exchanges operating in high-risk jurisdictions, with lax anti-money laundering or CDD/KYC requirements, or where the exchange’s home jurisdiction is unclear.4
Key Takeaways from the Advisory
- The advisory makes clear that the U.S. government strongly opposes ransomware payments, which it believes fuel further ransomware attacks and may violate U.S. sanctions. The U.S. government continues to advise against making ransomware payments and has stressed the need for companies to adopt strong cybersecurity controls to prevent successful attacks. OFAC encourages victims and companies helping to address ransomware attacks to contact OFAC if there is “any reason to suspect a potential sanctions nexus” regarding a ransomware payment. Payments with a potential sanctions nexus include those that involve not just wallets already listed on OFAC’s Specially Designated Nationals (SDN) List, but also payments that involve wallets linked to known ransomware strains whose creators have been sanctioned or attackers who appear to have links to sanctioned jurisdictions or their governments, such as North Korea or Iran. OFAC has also stated that license applications involving ransomware payments will be reviewed with a presumption of denial.
- OFAC also announced an important change in its Enforcement Guidelines to incentivize good “cyber hygiene.” Specifically, if a company pays a ransom that violates U.S. sanctions (e.g., if the attacker is an SDN), OFAC will give credit to that company when considering pursuing an enforcement action if that company had implemented cybersecurity measures to reduce the risk of successful ransomware attacks, self-reported the suspected ransomware attacks to the U.S. government, and cooperated with the government throughout the attack. By implementing essential cybersecurity measures such as maintaining offline backups of data and instituting cybersecurity training, companies may be less likely to face stiff penalties for potential violations of OFAC regulations.
In addition, in assessing potential penalties, OFAC will also consider the extent to which companies voluntarily self-disclose ransomware attacks to other relevant U.S. government agencies, such as the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection. These voluntary self-disclosures should include technical details related to the ransomware attack, the date the attack occurred, the date the attack was discovered, and the ransomware payment demand.
Challenges and Considerations for the Private Sector
- Private sector entities that pay a ransom to cyber criminals should understand the risk that they may face OFAC enforcement actions. In the advisory, OFAC noted that persons subject to U.S. jurisdiction facilitating ransomware payments, such as companies providing cyber insurance, forensic and incident response capabilities, and financial services, may be held liable if OFAC determines that a payment was made to a prohibited party or jurisdiction. This puts such industry participants, whose primary role is to facilitate payments on behalf of businesses under attack, in a difficult situation. They must make fast, risk-based decisions—often without sufficient information about the identities of the hackers—that may have severe consequences for ransomware victims and for the service providers.
- Although identifying a potential sanctions link in a ransomware payment can be challenging, cryptocurrency experts and commercially available software solutions can help identify risks associated with the wallet or wallets to which the attackers request a ransom be sent. OFAC emphasized in the updated advisory that it may impose penalties for sanctions violations on a strict liability basis, meaning that a person subject to its jurisdiction may be held liable even if it did not know or have reason to know it was engaging in a prohibited transaction. Illicit actors often request ransomware payments to be made in virtual currency to an address in a virtual wallet, making it challenging to identify sanctions links quickly. Blockchain explorers that provide information about wallet attribution can play a critical role in this process, and companies facing an attack that do not already have access to or are unfamiliar with these tools should consult with cryptocurrency experts.
- Companies suffering from a ransomware attack face a difficult choice whether to pay, especially if a sanctioned person is involved, and should promptly and proactively engage with the appropriate U.S. authorities. OFAC has made clear that ransom payments to a sanctioned party are prohibited and that, while companies can apply to OFAC for a specific license to authorize such a payment, the license application will be reviewed with a presumption of denial. This creates a challenge for companies whose systems or operations are frozen by a ransomware attack: either pay the ransom and violate U.S. sanctions or refuse to pay and suffer the continued impacts of the attack. OFAC recommends companies immediately contact OFAC or other relevant authorities in such a situation.
- Virtual currency exchanges, particularly larger exchanges that provide crypto-to-fiat conversion and provide services to smaller exchanges, should ensure they have strong CDD/KYC programs and ongoing monitoring to ensure that they can recognize and appropriately risk-rate and monitor nested accounts. Larger exchanges should take this opportunity to review any nested relationships given the increased enforcement risk and should evaluate whether they will need to terminate any relationships outside of their risk tolerance or devote additional resources to identify and monitor nested exchanges. Exchanges should also ensure that they have the tools they need to understand the sanctions and other potential illicit finance risks associated with counterparty wallet addresses, going beyond simply screening wallet addresses against the OFAC SDN list.
- All companies should implement robust preventive measures and good “cyber hygiene” and create a ransomware attack response plan. As noted above, OFAC will consider strong cybersecurity preventive measures as a mitigating factor when pursuing an enforcement action. Having a response plan in place can ensure that the appropriate steps are followed with respect to communicating with U.S. government agencies—another mitigating measure that OFAC will consider—and vetting the payment request information for any potential ransom payment to understand potential sanctions risk. Cryptocurrency exchanges in particular should articulate their risk appetite with respect to processing ransom payments and develop specific policies and procedures related to detecting and mitigating risks associated with ransomware payments.
1 The U.S. Department of the Treasury, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (September 21, 2021), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.
2 “Treasury Takes Robust Actions to Counter Ransomware” (September 21, 2021), available at https://home.treasury.gov/news/press-releases/jy0364.
3 Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” (April 1, 2015), available at https://www.govinfo.gov/content/pkg/FR-2015-04-02/pdf/2015-07788.pdf.
4 On this point, see K2 Integrity, “Implications of Mounting Legal and Regulatory Scrutiny on Binance” (August 25, 2021), available at https://www.k2integrity.com/en/knowledge/policy-alerts/implications-of-mounting-legal-and-regulatory-scrutiny-on-binance.