OFAC Ransomware Guidance: Prepare, Report, and (Preferably) Don’t Pay the Ransom!
As we have previously reported, there has been a major uptick over the past few years—and particularly during the COVID-19 pandemic—in ransomware attacks. These attacks consist of an intrusion by a cybercriminal into the victim’s computers or network, followed by deployment of malware that encrypts the victim’s files, preventing access until a payment is made. More recently, these ransomware attacks also include exfiltration of data as a way to generate even more leverage over the victim. The incentives for victims of ransomware attacks to pay the ransom are substantial: the need to stop the attack, regain access to their data, restore business functions, and ensure that any stolen data is destroyed and not sold or exploited by bad actors make these attacks existential events. On the other hand, making these ransomware payments brings its own risks. This includes substantial regulatory risk as those payments may run afoul of the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) guidance—since the payments may be made to parties who are on OFAC’s black list. Although there have not yet been any OFAC enforcement actions against those who have made ransomware payments, companies should be aware of the risk of going forward with a ransom payment.
Last week, OFAC issued updated guidance regarding ransomware payments. The new guidance does not materially alter the agency’s October 2020 guidance, but reiterates OFAC’s strong stance that companies should not make any ransomware payments. Additionally, OFAC designated SUEX, a virtual currency exchange, as a blocked person, thereby prohibiting U.S. actors from doing business with it.
Of critical importance, the new advisory identifies two mitigating factors that OFAC will consider in any enforcement action regarding a cyber ransom payment.
First, companies that have taken meaningful steps “to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide” will receive mitigation credit in the event that OFAC brings an enforcement action for making a ransom payment to a prohibited entity. We have previously covered the CISA guidance in-depth. In other words, the right preparation can help reduce the potential impact of a ransomware attack, and has the secondary benefit of reducing potential OFAC liability.
Second, OFAC “strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, (“IC3”) or their local U.S. Secret Service office as soon as possible. Victims should also report ransomware attacks and payments to Treasury’s OCCIP and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment.” Here again, OFAC notes that victims that comply with this directive can expect to “receive significant mitigation from OFAC when determining an appropriate enforcement response in the event a sanctions nexus is found in connection with a ransomware payment.” In other words, reporting a ransomware attack to the government can also help reduce any potential OFAC liability.
These factors underscore the need for companies to have robust cybersecurity programs in order to avoid having to make a ransom payment in the first instance. This has a two-fold benefit: not only will it reduce the risk that a company will be hit by a successful ransomware attack, it will minimize the regulatory risk should an attack happen anyway. But if a successful attack does happen, companies should immediately report the incident and cooperate fully with federal authorities. Companies should also maintain a strong sanctions compliance program more generally. In 2019, OFAC published A Framework for OFAC Compliance Commitments, intended to provide organizations with a framework for the five essential components of a risk-based sanctions compliance program. Adherence to the framework will also mitigate companies’ regulatory exposure.
Although OFAC is wise to encourage preparation and defense, even the best cybersecurity program will not necessarily prevent all ransomware attacks. For example, supply chain attacks are difficult, if not impossible to detect and prevent. Companies hit with ransomware attacks have to do everything in their power to restore their business systems as soon as possible and assess the nature of information that was stolen. And with the recent increase in data exfiltration as part of ransomware attacks, the need to pay a ransom can be more pressing than ever—even the best-prepared company may have no choice but to pay a ransom to ensure that the stolen data is deleted and not publicly shared.
The latest OFAC guidance is a potent reminder that although making a ransom payment may be necessary from a business perspective, those business interests may run squarely into OFAC’s threats to prosecute companies for paying a ransom, potentially putting victims in a difficult quandary. For that reason, if responding to a ransomware attack includes negotiating and making a ransomware payment, in-depth diligence should be conducted to ensure that payment is not being made to an entity that OFAC has sanctioned or forbidden from conducting business in the United States. In addition to the preparation and reporting encouraged by OFAC, conducting due diligence before making a ransomware payment can help minimize regulatory exposure.