OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware
First Post in a Two-Part Series on Recent OFAC Designations
On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.” Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation. The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus. The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.
OFAC has been busy. Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation: OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force. This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.
The Blacklisting of SUEX
According to OFAC, over 40% of SUEX’s known transaction history is associated with illicit actors. As a result, SUEX is prohibited from transacting with U.S. persons or transacting within the United States, and financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. OFAC issued the designation pursuant to Executive Order (E.O.) 13694, entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” and which was initially signed by President Barrack Obama in 2015. We previously have blogged about the ability of OFAC in other contexts to block assets and prohibit financial transactions with designated individuals and entities here, here, and here.
SUEX operates in Russian and is registered in the Czech Republic. The designation specifically blacklisted 25 blockchain addresses used by or associated with SUEX. Arguably, the designation reflects a tactic by the U.S. government to turn to sanctions, a tool that the government may employ relatively easily and swiftly, in order to punish illicit foreign actors that may be very difficult to prosecute in U.S. courts, at least without a considerable expenditure of effort, time and resources.
According to the press release issued by the U.S. Treasury Department, OFAC’s designation of SUEX is occurring against the backdrop of an increase in the scale, sophistication, and frequency of ransomware attacks. Ransomware (on which we previously have blogged here, here and here) is a form of malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. The Treasury Department noted that “[t]he U.S. government estimates that these payments represent just a fraction of the economic harm caused by cyberattacks, but they underscore the objectives of those who seek to weaponized technology for personal gain[.] . . . [T]he disruption to critical sectors, including financial services, healthcare, and energy, as well as the exposure of confidential information, can cause severe damage.” According to the FBI, ransomware payments reached over $400 million in 2020, which is more than four times the amount of ransomware payments made in 2019. Ransomware schemes unfortunately appear to have proliferated even more in 2021, including the notorious cyberattack on Colonial Pipeline, which resulted in significant gasoline supply shortages in the U.S.
The press release further observed that virtual currencies, while frequently used for lawful activity, also can be used for sanctions evasion, ransomware schemes, and other cybercrimes through the use of peer-to-peer exchangers, mixers, and exchanges. In some cases, malicious actors exploit virtual currency exchanges, but other times, the virtual currency exchange allegedly facilitates illicit activities for its own illicit gains – which is what OFAC has alleged in regards to SUEX.
The Treasury Department emphasized that many agencies across the globe, including the U.S. Financial Crimes Enforcement Network, the Group of Seven and the Financial Action Task Force, are attempting to address ransomware and ransomware-related money laundering, and their nexus with the illicit finance risks posed by virtual assets. The Treasury Department encouraged readers to visit StopRansomware.gov, touted as a “one-stop resource for individuals and organizations of all sizes to reduce their risk of ransomware attacks and improve their cybersecurity resilience.” OFAC’s Frequently Asked Questions on Virtual Currency can be found here.
OFAC Advisory on Ransomware
The SUEX designation was accompanied by OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Advisory”), which “describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.” Of course, many ransomware schemes indeed have a sanctions nexus, which puts the victim in a potentially untenable spot, particularly because a de facto sanctions nexus may not be entirely clear to the victim. Regardless of the fact that trying to obtain an OFAC license to make an otherwise prohibited payment would take much more time than is even remotely practical when dealing with the exigencies imposed by a ransomware attack, OFAC indicates in the Updated Advisory that “license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will continue to be reviewed by OFAC on a case-by-case basis with a presumption of denial.” (emphasis added).
After describing a list of alleged malicious cyber actors designated by OFAC for perpetrating or facilitating ransomware attacks, including the aptly-named Evil Corp, the Updated Advisory stresses that the U.S. government “strongly discourages” the payment of cyber ransom, which:
. . . . may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves.
The Updated Advisory then provides an ominous reminder that OFAC may impose civil penalties for sanctions violations based on strict liability – i.e., a company can be held liable even if it did not know or have reason to know that it was engaging in a transaction that was prohibited by OFAC. “Enforcement responses range from non-public responses, including issuing a No Action Letter or a Cautionary Letter, to public responses, such as civil monetary penalties.”
OFAC offers two basic paths to minimizing the potential penalties posed by this dilemma.
First, financial institutions and other companies should implement a risk-based compliance program to mitigate exposure to sanctions-related violations. The program should account for the risk that a ransomware payment may involve a Specially Designated National (“SDN”) or blocked person, or a comprehensively embargoed jurisdiction (such as North Korea). Effective cybersecurity measures likewise can mitigate any OFAC enforcement response; such measures can include “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols[.]” The Updated Advisory specifically notes that financial institutions covered by the Bank Secrecy Act also will have related anti-money laundering obligations.
Second, “OFAC strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible to avail themselves of OFAC’s significant mitigation related to OFAC enforcement matters and receive voluntary self-disclosure credit in the event a sanctions nexus is later determined.” The Updated Advisory states that OFAC will be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) if the victim reports the ransomware attack to OFAC, law enforcement and other relevant agencies as soon as possible and provides cooperation during and after a ransomware attack. This “encouragement” suggests that in practice any ransomware attack should be reported to OFAC and other agencies, because it ultimately may turn out to be the case that the attack had a sanctions nexus.
Even if strong cyber-security measures, self-reporting and cooperation with the government leads to a non-public response by OFAC, a lurking issue remains: what enforcement risks face a company that finds itself to be the victim of a second attack involving a sanctions nexus?