The Matrix
{ Blog Post Bio Photo }{ Blog Post Bio Photo }

OFAC Issues Updated Ransomware Advisory

Posted by

On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog. 

In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities.  OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI).  The  pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients. 

Ransomware Payments May Violate US National Security Laws and Sanctions Regulations

As a background matter, U.S. national security laws, specifically the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), authorize OFAC to issue sanctions programs, and these laws prohibit U.S. persons and U.S. businesses from engaging in or facilitating transactions, directly or indirectly, with sanctioned individuals or entities.  Sanctioned individuals and entities are identified as Specially Designated Nationals and Blocked Persons on OFAC’s SDN list or are located in the countries or regions subject to comprehensive embargoes, such as Cuba, Crimea region of Ukraine, Iran, North Korea, and Syria. Under these sanctions laws and regulations, U.S. persons and U.S. businesses can be held strictly liable for sanctions violations and may be subject to civil penalties, whether or not the U.S. person or U.S. business knew or had a reason to know that the activity was prohibited.

Ransomware payments which end up in hands of criminals and other adversaries may be used to ultimately threaten U.S. national security interests.  Therefore, OFAC continues to state that it “strongly discourages” private companies from paying ransom or extortion demands.  OFAC has previously established a Cyber-related sanctions program which targets malicious cyber actors, including known internet aliases and addresses. OFAC highlights in the 2021 Guidance that it has, and will continue to issue designations under the Cyber sanctions program against cyber actors for perpetuating ransomware attacks and facilitating ransomware demands.  The U.S. government has previously linked number of past significant ransomware attacks, including Cryptolocker, SamSam and WannaCry, to cyber-criminal gangs in sanctioned jurisdictions including North Korea and Iran.  The 2021 Guidance notes that the risk of inadvertently making a ransom payment to a sanctioned entity has risen because some sanctioned threat actors have morphed into new groups utilizing updated tools and that some non-sanctioned threat actors are partnering with sanctioned entities in their attacks – which have added quite a bit of nuance to this area.

Guidance for Ransomware Victims

The 2021 Guidance, in line with the 2020 Guidance it replaces, highlights that ransomware payments could be subject to OFAC’s licensing policy, which requires US persons and US businesses to apply for written permission from OFAC to make a payment or facilitate a financial transaction that is otherwise prohibited under sanctions laws. 

Under this policy, ransomware victims should submit a ransomware payment for OFAC review prior to making the demanded payment for a license.  The policy does not provide a set timeframe for OFAC to respond (and there is the presumption of denial), even in the context of a ransomware payment.  Any US person or US business deciding whether to respond to a demanded payment in order to receive access to ransomed critical data in the midst of an attack may not want to wait for OFAC to approve the payment.

The 2021 Guidance ”strongly encourages” that ransomware victims promptly contact state and federal authorities when the ransomware attack begins as well as upon receipt of any payment demands or to advise authorities of any ransomware payments made.  Finally, consistent with the 2020 guidance, the 2021 Guidance, emphasizes that prompt reporting of a ransomware attack, as well as ongoing cooperation with law enforcement during the course of the ransomware attack, are relevant  factors for consideration under OFAC’s enforcement guidelines should the ransomware payment end up in the hands of a sanctioned entity or person.

One significant change in the 2021 Guidance is the advisement that a ransomware victim’s defensive and cybersecurity actions taken prior to a ransomware attack will also serve as significant mitigating factors to any OFAC enforcement response.  OFAC highlights the practices identified by the Cybersecurity and Infrastructure Security Agency (CISA) in its September 2020 Ransomware guidance, such as:

  • established incident response plans,
  • workforce cybersecurity training,
  • offline backup data repository maintenance,
  • installation of and regular updates to antivirus and anti-malware software,
  • use of two-factor authentication.

CISA’s Ransomware Guide also includes a helpful Ransomware Response Checklist.  As our attorneys have previously noted,

“one of most important components of a ransomware security plan is a robust data backup program.  By maintaining an offline and encrypted backup of its records, an organization is less likely to face a scenario where business-critical data is completely inaccessible because the offline backup should not be impacted by ransomware infecting the network.”

 Guidance for Companies Engaging with Ransomware Attack Victims

The 2021 Guidance, like the 2020 Guidance, notes that these requirements also apply to the vendors, advisors and insurers which support with victims of ransomware attacks, or which may process ransom payments (including depository institutions and money services businesses). As with any company that is a potential ransomware victim (i.e., everyone), such companies should establish sanctions compliance programs and anti-money laundering compliance programs if applicable, to not only to address the company’s risk but also the risk that the company will assist a customer with facilitating a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. 

Attorneys in Honigman’s Data, Privacy, and Cybersecurity group are equipped to handle legal issues involving ransomware from all angles, including developing compliance programs designed to mitigate payment sanctions, conducting ransomware payment vendor diligence, investigating potential business partners for sanctions exposure, implementing controls and training, and navigating regulatory disclosures, investigations, and potential sanctions.

Jump to Page