Consistent with the U.S. Department of the Treasury’s ongoing focus on cyber-enabled financial crime, on October 1, 2020, two components of the Treasury Department’s Office of Terrorism and Financial Intelligence issued guidance on ransomware-related payments. One, an advisory issued by the Office of Foreign Assets Control (“OFAC”), describes the significant U.S. sanctions risks of facilitating ransomware payments, and expresses a strong policy preference against doing so. The second, an advisory issued by the Financial Crimes Enforcement Network (“FinCEN”), alerts financial institutions to trends and indicators of ransomware-related money laundering. Both underscore the difficult decisions faced by ransomware victims and third parties who assist them as they seek to navigate the loss of access to key data on the one hand, and increasingly significant regulatory risks that making a ransomware payment could entail on the other.
Ransomware attacks occur when a victim’s computer systems become infected with malicious code that denies the user access to, or otherwise impedes the functionality of, its computer systems until a payment is made. Generally speaking, malicious actors demanding payment in ransomware attacks operate anonymously and take technologically sophisticated steps to conceal their identities and locations. In typical ransomware incidents, the malicious actor seeking payment often demands that the payments be made in a cryptocurrency, such as Bitcoin, to better preserve the malicious actor’s anonymity. Cryptocurrencies enable this anonymity because they require only a generic alphanumeric address to make or receive payments, and do not require identifying a recipient’s name, location, or bank. As the two new advisories illustrate, should the victim choose to pay a ransom, the attacker’s anonymity creates sanctions and anti-money-laundering risks for various parties involved.
Recent U.S. government guidance has acknowledged the difficulty ransomware victims face in deciding whether to make the payments demanded, or instead face continued, often catastrophic, business interruptions caused by the unavailability of data and IT systems. For example, the FBI issued guidance in October 2019 stating that, although “[t]he FBI does not advocate paying a ransom,” “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” In notable contrast to this sentiment, OFAC’s new ransomware advisory expresses firm opposition to ransomware payments, emphasizes the risk of U.S. sanctions violations such payments entail, and announces a presumption of denial for any license victims may seek to authorize them.
OFAC’s advisory stresses that ransomware payments risk violating U.S. sanctions even when made anonymously, and that OFAC may impose liability for sanctions on a strict-liability basis, “even if [the victim] did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
OFAC also pointedly observes that “[c]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” OFAC notes that such payments may be destined for sanctioned parties or jurisdictions, could be used to fund activities contrary to U.S. national security or foreign policy objectives, may “embolden cyber actors to engage in future attacks,” and do not guarantee that a victim will reclaim its stolen data. For these reasons, applications for specific OFAC licenses to make ransomware payments will be reviewed “with a presumption of denial,” significantly narrowing one potential avenue for victims to minimize their legal exposure in crafting their responses to such incidents.
Despite these warnings, OFAC also notes that it employs enforcement guidelines in deciding whether to initiate civil enforcement in response to apparent sanctions violations, and when it does, what level of penalty to seek. In applying its guidelines, OFAC will consider whether the victim, forensic investigator, insurance company, or relevant financial institution has implemented a sanctions-compliance program to mitigate its compliance risk. Whether a victim timely and completely reports ransomware incidents to, and fully cooperates with, law enforcement also will be a “significant mitigating factor” in assessing any resulting sanctions violations.
OFAC’s guidance follows recent OFAC sanctions designations targeting malicious cyber actors, which together increase the likelihood that a payment of ransom will implicate the sanctions risk identified in OFAC’s guidance. These include the March 2018 designation of two entities and six individuals associated with Russia’s Main Intelligence Directorate for U.S. election interference and their involvement in the “NotPetya” ransomware incident; the November 2018 designation of two Iranian individuals who helped “exchange digital currency (bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors involved with the SamSam ransomware scheme that targeted over 200 known victims”; the September 2019 designation of three North Korean state-affiliated groups involved in the “WannaCry 2.0” ransomware attack, among others; the December 2019 designation of 17 individuals and seven entities tied to “Evil Corp,” a Russian cyber-crime organization purportedly responsible for distribution of “Dridex” malware; and the June 2020 designation six Nigeria-based individuals for involvement in an alleged business-email-compromise scheme.
FinCEN’s advisory focuses on assisting financial institutions in identifying suspicious, ransomware-related transactions. It notes the increasing prevalence and sophistication of ransomware attacks, describing particular schemes and patterns the agency has observed from Bank Secrecy Act reporting and law enforcement data. It also describes the elaborate steps ransomware attackers often take to shield their identities and obscure the true recipients of any ransomware payments, often made in cryptocurrencies.
Like OFAC, FinCEN acknowledges the increasingly common role played by forensic investigative firms, as well as companies that provide cyber insurance against such attacks. Notably, to the extent that incident response experts facilitate ransomware payments — sometimes by receiving a victim’s funds, converting them into cryptocurrency, and transferring them to the attacker’s designated accounts — FinCEN warns that these consultants could be engaged in “money transmission,” triggering Bank Secrecy Act obligations such as the submission to FinCEN of Suspicious Activity Reports.
FinCEN’s advisory also identifies ten “financial red flags” to assist financial institutions in identifying ransomware-related transactions and related money-laundering activity. These include account-opening documents that specifically describe a ransomware incident; open-source information suggesting that a cryptocurrency address (or other identifying information) may be connected to a malicious cyber actor; transactions between high-risk organizations and digital forensics and incident response or cyber insurance companies (or a close-in-time exchange between such parties of funds for digital currencies); customers with little background in cryptocurrencies seeking to open accounts and transfer them on a rushed basis, or sending unusually large amounts of such currencies; use of cryptocurrency exchangers in jurisdictions with weak money-laundering controls; and executing multiple, rapid trades among cryptocurrencies with no apparent related purpose. According to FinCEN, these activities could inform a U.S. financial institution’s suspicious activity reporting obligations under the Bank Secrecy Act.
This ransomware-specific guidance follows an earlier FinCEN advisory, issued on May 9, 2019, that described the ways in which malicious actors use cryptocurrencies to engage in a range of unlawful activities, including money laundering, sanctions evasion, and “darknet” marketplace transactions.
Implications of Coordinated Guidance
The coordinated OFAC and FinCEN advisories contain noteworthy takeaways for victims of ransomware attacks as well as the third parties that assist them.
- For victims, the new guidance underscores the difficulty and uncertainty of proceeding with a ransom payment, noting the prospect of U.S. sanctions compliance exposure, compounded by the low likelihood of obtaining OFAC authorization for ransomware payments to reduce that exposure. However, it also notes that mitigation credit may be available for timely cooperation with law enforcement.
- For forensic investigators and other consultants focused on incident response, the OFAC guidance raises the possibility of compliance exposure for facilitating unlawful payments to restricted parties, and the FinCEN guidance notes that certain payment facilitation could invite unexpected reporting obligations under the Bank Secrecy Act.
- And for financial institutions involved in ransomware payment processing, in addition to existing OFAC sanctions compliance obligations, the FinCEN advisory provides new guidance on what “red flags” may trigger suspicious activity reporting obligations.
The guidance therefore makes clear that, in addition to the difficult business decisions ransomware attacks implicate, all parties involved in responding to these attacks also must carefully consider the increasingly complex legal and regulatory dimensions of their strategies.