On October 1, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning of the perils of facilitating ransomware payments involving malicious cyber-enabled activities. OFAC has seen an increase in ransomware attacks on various governmental entities, financial institutions, health care institutions, and educational institutions during the COVID-19 pandemic. These attacks involve “‘ransomware,’ a form of malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims [(individuals and entities)] in exchange for decrypting the information and restoring the victims’ access to their systems or data.”
OFAC has issued sanctions against cyber actors who engage in ransomware attacks, and those who provide material support to those cyber actors. “OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.” This advisory warns companies that may unintentionally, inadvertently, or knowingly facilitate victims’ ransomware payments — such as financial institutions, cyber insurance firms, and digital forensics and incident response companies — that their facilitation or processing of payments will likely encourage future ransomware payment demands, and may also violate OFAC sanctions regulations against designated individuals, entities, or restricted countries.
Persons and entities in the U.S. are “generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes.” Persons and entities in the U.S. that facilitate ransomware payments could be violating OFAC regulations by engaging in a transaction with a person that has been designated by OFAC.
“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.” Those ransomware payments could be used to fund cyber actors or other sanctioned persons whose purpose or activities are adverse to U.S. national security interests or foreign policies. In addition, activities that facilitate ransomware payments may further encourage cyber actors to continue to engage in future ransomware attacks because of past “success” in getting payments.
“OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” which also applies to those companies “that engage with victims of ransomware attacks.” Companies that may be vulnerable to engaging with victims of ransomware attacks should have a sanctions compliance program in place that accounts for risks involved, and determine whether they have any regulatory obligations under anti-money laundering and other regulations issued by the Financial Crimes Enforcement Network (FinCEN). Importantly, companies that suspect a ransomware-related attack with potential OFAC sanctions compliance risk should immediately contact OFAC, in coordination with the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection, to ensure that their response does not violate OFAC sanctions or harm U.S. national security.
Companies also should be mindful of FinCEN’s related ransomware guidance, issued on October 1, containing helpful ransomware-related financial “red flag” indicators (page 5 of the FinCEN guidance) to assist companies in identifying those indicators, transactions, or activities that may present a high risk of ransomware-related activity. Financial institutions and other relevant companies also should have in place risk-based compliance policies and procedures that enable them to detect ransomware red flags and report any suspicious activities, as required.
Financial institutions and companies with reasonable, risk-based OFAC and cyber-ransomware compliance programs, policies, and procedures can mitigate the outcomes of an inadvertent ransomware-related facilitation violation. Other factors related to a particular industry (i.e., health care) involving the risks to health and safety caused by the timing of the malicious attack may also provide mitigation against enforcement for facilitating a payment.
Ransomware has escalated steadily in number of cases and amounts demanded. The FBI Internet Crimes report noted a 37% increase in ransomware attacks in 2018-2019 and a 147% increase in associated losses/ransomware payments. Last month, Universal Health Services, which has 400 hospitals serving millions of patients in the U.S., was attacked by Ryuk ransomware linked to a Russian cybercrime group. It remains to be seen how health care providers, payors, and institutions can fully comply with OFAC’s ransomware notification requirements, while also preserving the health and safety of patients.
It has become apparent that businesses need help preventing ransomware. The U.S. government has issued many resources, including a Ransomware Guide that details preventive best practices and a response checklist.
In view of the complex and numerous regulatory, national security, and foreign policy implications of activities that facilitate a ransomware payment, all financial institutions, cyber insurance firms, victimized companies, and digital forensics and incident response companies should update their OFAC, FinCEN, and cyber-ransomware compliance policies and procedures to ensure they cover the issues raised in this advisory.