OFAC Warning – Beware of Helping Ransomware Victims Pay their Attackers

Earlier this month, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory to banks and other companies involved in addressing cyberattacks – including cyber insurance firms, digital forensics, and incidence response companies – highlighting the risks associated with ransomware payments to cyber criminals.

The October 1, 2020, advisory notes that facilitating such payments on behalf of a victim of a cyberattack not only encourages future ransomware payment demands that may threaten U.S. national security interests, but also risks violating OFAC regulations, as payments made to the ransomware attackers may require engaging in a transaction, directly or indirectly, with persons or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”).

The advisory goes on to note that OFAC expects companies engaging with victims of ransomware attacks – including those processing ransom payments – to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. Such a program must, among other things, account for the risk that a ransomware payment may involve an SDN List or blocked person, or a comprehensively embargoed jurisdiction.  Additionally, victims and companies involved in addressing ransomware attacks are encouraged under the advisory to immediately contact OFAC if they believe a ransomware request may involve a sanctions nexus.

Based on the advisory, any company involved in addressing ransomware attacks should review its compliance program to ensure it appropriately accounts for any OFAC sanctions nexus, as facilitating a payment to an OFAC blocked person or embargoed country may lead to enforcement actions by OFAC.

A copy of the advisory can be found here.