On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”). The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.
The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations. However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies. Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.
In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors. As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.
Continued Opposition to Ransomware Payments
Covington previously observed that the October 2020 OFAC Advisory (the “2020 Advisory”) marked a departure from earlier, more circumspect U.S. government statements on ransomware payments, such as October 2019 FBI guidance, which noted that although the FBI opposes such payments, “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” By contrast, in its 2020 Advisory, OFAC made clear its view that making ransomware payments encourages future ransomware attacks and, if such payments (and related services and facilitation) violate U.S. sanctions prohibitions, may expose payment participants to OFAC sanctions enforcement.
The Updated Advisory maintains that message and further emphasizes it, noting that “[t]he U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks,” again adding that making or facilitating such payments may also violate U.S. sanctions prohibitions. The Updated Advisory also reiterates that, since penalties for U.S. sanctions violations may be imposed on a strict liability basis, companies involved in making such payments could be subject to sanctions enforcement even if they did not know and had no reason to know that a particular payment would violate U.S. sanctions prohibitions.
New Mitigating Factors: Strong Cybersecurity and Engagement with Law Enforcement
The Updated Advisory is most significant for its discussion of the “mitigating factors” OFAC will consider in the event that making or facilitating a ransomware payment does violate OFAC sanctions prohibitions.
Strong Cybersecurity Practices
Consistent with longstanding general OFAC guidance, the 2020 Advisory explained that organizations involved in responding to ransomware attacks — like all organizations — should “implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” which should account for the possibility that ransomware payments may involve parties subject to sanctions. OFAC explained that the existence of such a program was “a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).”
The Updated Advisory goes further and specifically identifies strong cybersecurity practices as an important mitigating factor for potential OFAC enforcement. It specifies that “[m]eaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s [(“CISA”)] September 2020 Ransomware Guide,” — which provides ransomware best practices and recommendations from CISA and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) — “will be considered a significant mitigating factor in any OFAC enforcement response.” This guidance is noteworthy, because it establishes a ransomware-specific mitigating factor not set forth in OFAC’s Economic Sanctions Enforcement Guidelines.
Notification and Cooperation with U.S. Government
The 2020 Advisory described as “significant mitigating factor[s]” both a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement,” and its “full and timely cooperation with law enforcement both during and after a ransomware attack.”
The Updated Advisory maintains that position, but further emphasizes the importance of prompt reporting to and ongoing cooperation with U.S. government agencies. It explains that “the reporting of ransomware attacks to appropriate U.S. government agencies and the nature and extent of a subject person’s cooperation with OFAC, law enforcement, and other relevant agencies” would be significant mitigating factors in an OFAC enforcement matter. Cooperation would include “providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible” during and after an attack.
The Updated Advisory also states that OFAC will consider a timely self-disclosure to law enforcement, CISA, the U.S. Department of the Treasury’s s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”), or “other relevant U.S. government agencies” to constitute a voluntary self-disclosure for mitigation purposes in an OFAC enforcement matter. This portion of the guidance is broadly consistent with OFAC’s general Enforcement Guidelines, which state that “[n]otification of an apparent violation to another government agency (but not to OFAC) by a Subject Person, which is considered a voluntary self-disclosure by that agency, may be considered a voluntary self-disclosure by OFAC, based on a case-by-case assessment.”
Notably, both the mitigating factor concerning a ransomware victim’s cybersecurity posture (newly announced in the Updated Advisory) and the mitigating factor concerning a victim’s cooperation with law enforcement and other relevant agencies (announced in the 2020 Advisory and reiterated in the Updated Advisory) require evaluation of matters outside of OFAC’s traditional areas of expertise. It is not clear from the Updated Advisory, for example, whether OFAC will itself attempt to determine whether a victim has adopted cybersecurity practices consistent with CISA’s Ransomware Guide, or if it will rely on other government agencies to make these assessments. Similarly, although OFAC has long considered “the nature and extent of the Subject Person’s cooperation with OFAC” to be a mitigating factor in enforcement matters (see Part III.G of the Economic Sanctions Enforcement Guidelines), it is not yet clear how OFAC will assess the nature and extent of a victim’s cooperation with other agencies for purposes of determining whether OFAC mitigation credit is available, including whether OFAC will apply its own criteria, will instead use other established criteria relied on by other relevant agencies (such as the Department of Justice’s Export and Sanctions Enforcement Policy, the Justice Manual, or the joint Department of Justice/Department of Homeland Security Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities), or will rely on the other government agencies to make these assessments.
Sanctions Designation of Cryptocurrency Exchange
Also on September 21, 2021, OFAC for the first time designated for property-blocking sanctions a virtual currency exchange that facilitated ransomware transactions for ransomware actors. The designated virtual currency exchange is SUEX OTC, S.R.O. (“SUEX OTC”), also known as “Successful Exchange.” SUEX OTC was designated pursuant to Executive Order 13694 (as amended by Executive Order 13757), which authorizes the imposition of property-blocking sanctions against persons determined to have engaged in various cyber-enabled activities involving threats to U.S. national security, foreign policy, or the U.S. economy. As a result of this designation, U.S. persons are prohibited from engaging in or facilitating virtually all transactions involving SUEX OTC, and the assets of SUEX OTC that are within the United States or the possession or control of U.S. persons are subject to blocking. The same Executive Orders also authorize the imposition of sanctions against persons who materially assist, sponsor, or provide financial, material, or technological support for, or goods or services to or in support of, persons blocked pursuant to those authorities, such as SUEX OTC.
SUEX OTC is identified on the List of Specially Designated Nationals and Blocked Persons (“SDN List”) both according to its name and address, but also according to a series of digital currency addresses denominated in the Bitcoin, Ethereum, and Tether cryptocurrencies.
OFAC has previously designated other parties on the SDN List using their digital currency addresses. In 2018, it designated two Iranian individuals who helped exchange cryptocurrency-denominated ransomware payments with Iranian fiat currency (rials) on behalf of other Iranian actors involved in the SamSam ransomware scheme, listing their digital currency addresses among other identifying information. With the advent in 2018 of designations based on this type of identifying information, OFAC released FAQ guidance explaining that OFAC compliance obligations are the same regardless of whether a transaction is denominated in U.S. dollars or a cryptocurrency, and that it will be possible — and therefore, potentially expected in some circumstances — to screen for designated digital currency addresses on the SDN List.
Further Anticipated Guidance
Looking ahead, recent press reporting (Wall Street Journal, Washington Post) indicates that further related guidance — perhaps from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) — may be forthcoming later this year. We expect that further guidance will likely include action on FinCEN’s proposed application of the travel rule to cryptocurrency transactions and additional anti-money laundering efforts to deter cryptocurrency-denominated payments in ransomware attacks.
Such additional guidance would be consistent with OFAC and FinCEN’s past practices on ransomware: last year, in parallel with the 2020 OFAC Advisory, on October 1, 2020, FinCEN issued an advisory intended to assist financial institutions in identifying “red flags” for suspicious ransomware-related transactions. The advisory also noted that consultants engaged in facilitating ransomware payments could be considered “money transmitters” under the Bank Secrecy Act, triggering additional anti-money laundering compliance obligations, including registration with FinCEN and establishment of an anti-money laundering compliance program. FinCEN also issued 2019 guidance describing the manner in which cyber threat actors use cryptocurrencies to engage in a range of unlawful activities.
The Updated Advisory continues to make clear that OFAC strongly opposes making or facilitating ransomware payments and may initiate enforcement actions where such payments, or related services or facilitation, violate sanctions. As a result, ransomware victims and those who assist them must remain attentive to U.S. sanctions compliance obligations. At the same time, the Updated Advisory also demonstrates OFAC’s continued recognition that some organizations will nevertheless opt to proceed with such payments, and sets forth new guidance for how to minimize the impact of any resulting enforcement action. However, it is not yet clear how, by which agencies, and under which standards compliance with certain guidance contained in the Updated Advisory will ultimately be evaluated. Nevertheless, regardless of whether a ransomware victim ultimately chooses to make a ransom payment, the mitigating factors described in the Updated Advisory underscore the importance of preparation, including the development of a strong cybersecurity posture before an attack, and the value of timely reporting to and ongoing cooperation with government agencies after one occurs.