Paying that ransom request could land you in legal trouble for sanctions violations

To pay or not to pay? paying ransomware can land your company with U.S. sanctions

If your business has been experiencing more phishing, ransomware and malware attacks during the pandemic, you are not alone. Recent data presented by the FBI indicates such cyber attacks and ransom requests are on the rise. Meanwhile these attacks are generating massive revenue for the attackers. Citing recently released FBI data, the US Department of the Treasury, through the Office of Foreign Assets Control (“OFAC”), has placed businesses on notice that payment of ransoms to certain cyber attackers could get a company in trouble under U.S. sanctions laws and regulations for helping to finance sanctioned organizations. Sanctions violations carry significant civil and criminal penalties, as well as reputational and other risks. Therefore this latest warning highlights a new and significant consideration in ransomware incident response.

A recent advisory issued by OFAC recognizes that certain sanctioned governments and cybercrime organizations are behind many of the recent ransomware attacks. The advisory references several different types of ransomware software used or developed by sanctioned persons, including Cryptolocker reportedly developed by sanctioned person Evgeniy Mikhailogich Bogachev; SamSam ransomware, allegedly supported by certain sanctioned Iranians; Wannacry 2.0, linked to Lazarus Group, a sanctioned cybercriminal organization allegedly sponsored by North Korea; and Dridex malware, used by sanctioned Russia-based organization Evil Corp.

OFAC warns that it “has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” It further states that this is an important enforcement because ransomware payments could fund criminals and adversaries to profit and advance their illicit aims and therefore fund activities adverse to the national security and foreign policy objectives of the United States. OFAC also states that payments may embolden cyber criminals to engage in more attacks and do not guarantee that the victim will regain access to its data.

As a result, ransomware payments benefiting these sanctioned individuals and organizations give rise to sanctions liability for ransomware victims, even if the victim did not know – or even have any basis for knowing – the identity of the attacker. This is because OFAC has the authority to enforce U.S. sanctions regulations on a strict liability basis, meaning that a payment to a sanctioned person is prohibited whether or not the payer was aware of the identity of the payee. OFAC may exact civil penalties for such actions.

It is not only the victim that can get in trouble for initiating the payment, but financial institutions, online payment processors, forensic/cyber consultants and cyber insurers are also exposed to the risk of facilitating a payment to a sanctioned person in violation of U.S. sanctions regulations. In fact, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) also issued related guidance alerting banks and payment processors to their role in processing ransomware payments in violation of U.S. sanctions laws.

Even so, there are measures that companies can take both to prevent such violations and to mitigate their enforcement risks in the event of a violation:

First, taking steps to prevent ransomware attacks from occurring in the first place is the best defense against extortion by sanctioned parties.
Next, companies should acknowledge that, in the event of a ransomware attack, the overriding interest in getting the business back up in operation may cause “red flags” of sanctions risk to be overlooked or disregarded.
Therefore, companies are advised to proactively develop procedures in preparation for a ransomware attack that include procedures for conducting sanctions due diligence of the attacker based on available information, including by screening all available information regarding the attackers and their digital identifiers against U.S. sanctions lists and consulting as appropriate with law enforcement.
Any compliance program and crisis plan should include a clear commitment from senior management and ensure this sanctions risk is communicated to all relevant employees and understood by senior management.
Increased engagement and information sharing between OFAC and the IT community will serve to improve the amount and quality of OFAC information on sanctioned organizations available for screening purposes.

The big questions left unanswered for industry is how a company can ensure compliance with US sanctions when there is very little data on the identity of an attacker and whether a company is expected to place OFAC sanctions paramount to its own survival in the face of an extortive ransomware attempt. The strongest take-away that companies can take from the notice is that, instituting procedures that include evaluating ransomware payments for compliance with sanctions, appropriately informing law enforcement in the event of an attack, and consulting OFAC sanctions lists and liaising with OFAC before making a cyber ransom payment, a potential ransomware victim can reduce its risk of suffering the “double whammy” of paying a ransom to an attacker that then results in a weighty US sanctions enforcement action.

Ginger T. Faulk, partner at Eversheds Sutherland, represents multinational companies in matters involving US government regulation of foreign trade and investment. She has extensive experience advising and representing global companies, counseling clients in matters arising under U.S. sanctions, export controls, import and other national security and foreign policy trade-related regulations.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.