OFAC Helps Those Who Help Themselves: How a Ransomware Response Plan Can Help Avoid Sanctions Enforcement for Ransom Payments

Many companies have a “no ransomware payment” stance until faced with a ransomware attack, especially an attack that causes significant business disruption. At that point, the company may reconsider its stance (or at least make an exception for a one-time ransomware payment). The problem is that the payment may be unlawful if made to certain embargoed countries or threat actors.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) updated its advisory addressing the sanctions risks associated with paying ransomware actors. Many malicious cyber actors are located in embargoed countries such as Iran and North Korea. Further, OFAC has specifically sanctioned ransomware attackers and facilitators of ransomware transactions such as virtual currency exchanges. It is unlawful for U.S. persons to transact with these sanctioned parties, and OFAC’s rules do not offer any exemptions for ransomware payments.

Following are highlights of some key changes and new points of emphasis in OFAC’s guidance:

1. Don’t Pay! (And Strengthen Your Defenses so You Don’t Have To)
• OFAC was definitive in advising against ransom payments—the “U.S. government strongly discourages” paying ransoms.
• Why? Payments embolden bad actors, potentially threaten national security, and may be sanctions violations. Furthermore, these actors don’t reliably stick to their end of the bargain, often sending ineffective or malware-injected decryption keys or re-extort a company after it has made a payment.
• The best way to avoid sanctions violations for making ransomware payments is to avoid the ransomware! Accordingly, to avoid these problems altogether, OFAC recommends “strengthening defensive and resilience measures to prevent and protect” against attacks.
2. More, and More Costly, Attacks
   
   • The update highlighted the 225% increase in ransomware losses from 2019 to 2020, and that no sector was spared: large and small businesses; government and infrastructure entities; schools and hospitals.
3. Beware Crypto Exchanges
   
   • On September 21, OFAC also designated the virtual currency exchange SUEX for facilitating financial transactions for actors associated with at least eight ransomware strains. As a result, all property and property interests of SUEX within U.S. jurisdictions are blocked, and U.S. persons are generally prohibited from transacting with it.
   • The designation serves as a useful reminder to do pre-payment diligence on ransom payment flows if payment is deemed absolutely necessary.
4. Two-for-One Mitigation: Lower Your Cyber Risks and Your Regulatory Exposure
   
   • OFAC articulated “proactive steps” that companies can take that OFAC would view as “mitigating factors” in any sanction-related enforcement action.
   • OFAC endorsed mitigation best practices set forth in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide.
   • The CISA Guide contains recommendations that any entity should be implementing—e.g., offline data backups; incident response plans; cybersecurity training; patching and updating network systems; and multifactor authentication.
5. Notify Law Enforcement, Quickly
   
   • While many companies work with their forensics firm (and insurance carrier) to identify if a threat actor is from an OFAC-sanctioned country, OFAC will credit entities that report ransomware attacks with a sanctions nexus to the FBI, U.S. Secret Service, CISA and other U.S. agencies, treating it as a voluntary self-disclosure under OFAC’s Enforcement Guidelines.
   • A report made “as soon as possible after discovery” is a “significant mitigating factor” in any subsequent enforcement action.
   • OFAC also looks favorably on reporting specifics about the ransom demand and payment instructions to law enforcement.
   • You can even help yourself as law enforcement may have alternative decryption tools and might recover some of your payment.
6. Don’t Forget to Tell OFAC
   
   • OFAC now wants to be contacted if there is “any” reason to “suspect”—not just believe—that the threat actor is sanctioned or connected to someone who is. OFAC’s Enforcement Guidelines provide significant mitigation for voluntary self-disclosure of potential violations when determining the appropriate enforcement action.
7. Avoid the Worst, and the Notoriety
   
   • Although OFAC will take each case on its facts, it is “more likely” to resolve a ransomware-related violation with a non-public “No Action Letter” or “Cautionary Letter” when an entity takes mitigating steps and reports attacks to law enforcement.

The updated OFAC guidance underscores how critical it is for companies to have a detailed ransomware response plan (as part of its incident response plan or a separate ransomware-specific policy) that addresses how to detect, mitigate, recover from and report an attack. Such a plan also should include company-specific considerations about whether, and in what scenarios, it will consider an exception to its no ransomware payments stance and paying a ransom. The sanctions risk highlighted by OFAC should be part of that assessment. Formulating a response plan is just one aspect of a robust cyber defense that will help companies avoid not only becoming cyber victims, but also the most severe sanctions consequences for paying a ransom.

Questions? Please contact Dave Feder, Melissa Duffy, Tyler Newby, or any member of Fenwick’s Compliance Group and/or Privacy & Cybersecurity Practice.