Your business was hit with a ransomware attack over the weekend, and the critical systems are locked up (i.e., encrypted). To unlock those valuable systems and continue operating the business, the threat actor demands financial payment. After much debate, you and your team decide the business needs to meet the threat actor’s demands to continue operations. Are there any laws or regulations you should consider before making a payment? Yes, and some were recently reissued.

On September 6, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published Cyber-Related Sanctions Regulations, 31 C.F.R. Part 578. The regulations do not change any prior OFAC guidance, but simply reissue the regulations posted on December 31, 2015.

While this advisory focuses on OFAC’s recent guidance, leaders facing a ransomware attack still need to consider other laws and regulations, such as those in North Carolina[1] and Florida,[2] that specifically prohibit certain entities from paying or otherwise complying with a ransom demand.

For now, let’s focus on OFAC’s recent regulations, and let’s face it, parsing through the regulations can be tedious. So, we’ve summarized some key points, so hopefully you won’t have to.

OFAC’s Scope

OFAC administers U.S.-based sanctions by targeting specific countries, individuals (e.g., terrorists and drug traffickers), and any other national security threats and imposes certain restrictions and property freezes on them.

While OFAC may notify the public of specific countries or individuals via the publication of lists — Specially Designated Nationals and Blocked Persons List (SDN List) — others may nonetheless be subject to OFAC regulations through specific prohibited actions, such as those involving illicit cyber-related activities.

OFAC’s Prohibitions

1. To Whom the Prohibitions Apply

Any property/property interests connected to the U.S. may not be transferred, paid, exported, withdrawn, or otherwise dealt to, among others:

A. Specific listed individuals and companies on the SDN List.

B. Any individual (1) engaged in; (2) complicit in; or (3) who materially assisted with illicit cyber-enabled activities, including those that can lead to the misappropriation of trade secrets, which could cause a threat to the U.S.

C. Any company that is owned or controlled by, or that acts on behalf of, the individuals described in A and B above.

D. Any person that the secretary of treasury determines engaged in undermining the cybersecurity of any person or institution on behalf of government actors, such as the Russian government.

2. What Are Prohibited Transactions?

In addition to blocking all property/property interests from being transferred to the individuals and companies listed above, prohibited transactions include:

A. The contribution or provision of funds, goods, or services to the benefit of any persons whose property/property interests are blocked. For instance, U.S. persons may not provide legal, accounting, financial, or other services to persons whose property and interests are blocked.

B. The receipt of any funds, goods, or services from persons whose property/property interests are blocked.

However, general licenses authorize certain legal and medical services to individuals otherwise subject to a block. Specifically, legal advice is generally allowed if it is not provided to violate these regulations.

3. Effects of Transfers Violating the Regulations

Transfers that violate the regulations will be deemed null and void and cannot be used to assert any interest in property.

What if the property transfer was not made to violate these regulations? A transferee may nonetheless maintain an interest, right, remedy, power, or privilege in the transferred property if the:

A. Transfer did not represent a willful violation of the provisions;

B. Person where the property was held did not have reasonable cause to know that the property right was obtained without pre-approval (e.g., licenses);[3] and

C. Person who maintained the property filed a report with OFAC, describing the full circumstances relating to the transfer of property.

4. I’m Subject to a Prohibited Transaction — Now What?

Individuals with funds subject to a prohibited transaction will place such funds in a blocked interest-bearing account in the U.S. The regulations are explicit in that the funds blocked may not be held in a “manner that provides financial or economic benefit[.]”

Owners are responsible for costs relating to the maintenance of the blocked tangible property. Blocked property may be sold or liquidated, subject to OFAC approval.

5. What Consequences Can I Face for Violating OFAC?

Civil Penalties

  • Civil penalties may not exceed $311,562 or twice the amount of the transaction involved in violation of the regulations.

Criminal Penalties

  • Individuals held criminally liable may be fined no more than $1,000,000 or imprisoned for up to 20 years. OFAC may provide a pre-penalty notice to individuals who have violated the regulations. The alleged violator will have the right to respond within 30 days. Once OFAC has determined that a violation has occurred, OFAC will issue its final agency action in the form of a “penalty notice,” allowing a violator to seek judicial review, if appropriate.

 

[1] N.C.G.S. § 143-800.

[2] Fla. Stat. § 282.3186.

[3] An individual acquiring a license would allow said individual to engage in certain prohibited transactions. There are general and specific licensing procedures, depending on the prohibited transaction. For those interested in learning more about licensing requirements and procedures, see Section 501.801 of OFAC’s regulations or visit https://home.treasury.gov/policy-issues/financial-sanctions/ofac-license-application-page.