CLIENT ALERT: Treasury Warns of Legal Risk of Ransomware Payments
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and Financial Crimes Enforcement Network (“FinCEN”) warned that companies that make or facilitate ransomware payments to threat actors who are sanctioned persons or in comprehensively sanctioned jurisdictions risk violating OFAC regulations and related laws. The FinCEN advisory addressed (1) the process of making ransomware payments; (2) trends in ransomware attacks; (3) “financial red flag indicators” of ransomware activity; and (4) how to report and share information related to ransomware attacks. Companies and individuals face civil monetary and administrative penalties imposed on a strict liability basis and knowing violations can lead to criminal liability.
Ransomware is malicious software code that blocks access to computer systems or data, frequently by encrypting files and data. Cybercriminals use ransomware to extort ransom payments from victimized businesses in exchange for restoring access to such systems and data. Typically, the criminals are offering a decryption key that can be used to unlock the infected files or systems. In addition to blocking access to systems or data, some cybercriminals steal information through exfiltration and threaten to publicly distribute sensitive or proprietary data obtained from the business’s computer systems if ransom payments are not received. Cybercriminals often use common methods to introduce ransomware in a victimized business’s systems, such as phishing and targeted spear-phishing campaigns that prompt individuals to download a malicious file or visit a malicious site.
Ransomware attacks are increasing in number and sophistication. According to the FinCEN advisory, there was a 37% increase in reporting of ransomware incidents to the Federal Bureau of Investigation in 2019 compared to 2018. Further, the advisory states that financial losses have also increased from an average dollar amount per incident of $504,000 in 2019 to $783,000 thus far in 2020.
Since 2016, OFAC has added high-profile entities, individuals and cryptocurrency wallet addresses associated with ransomware variants to its list of Specially Designated Nationals and Blocked Persons (“SDN List”). These designations reflect OFAC’s concern that ransom payments can help criminals further their illicit aims and fund activities adverse to U.S. national security. Companies paying ransoms to anyone later discovered to be on the SDN List are subject to civil monetary penalties of the greater of $305,292 per violation or twice the value of the transaction that forms the basis of the violation.
In the face of potential liability to OFAC, companies confronted with a ransomware attack face significant risk. In some situations, they may know that the attacker is on the sanctions list. In many other situations, however, they may not know. Nevertheless, companies can be held liable even if ransom payment is made unknowingly to a sanctioned person. OFAC recommends that companies who are victims of ransomware attacks report promptly to law enforcement and cooperate with any investigation both during and after the incident. This will be considered a significant mitigating factor when assessing any enforcement response in the event of a violation.
- Making or facilitating ransomware payments may violate OFAC sanctions and FinCEN anti-money laundering regulations.
- Companies should review and, if necessary, enhance their compliance programs and ransom policies to mitigate sanctions risks.
- Companies should take reasonable steps to identify threat actors demanding ransoms.
- Financial institutions and money services businesses should monitor red flag indicators when deciding whether to file a suspicious activity report about a suspected ransomware payment.
- In the event of a ransomware attack, companies should engage with law enforcement early and cooperate in any investigation.