New Ransomware Guidance Issued

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued new ransomware guidance, discouraging companies and citizens from paying ransoms. The Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments is the latest step taken by the Biden Administration to curb the increase in ransomware attacks.

In 2020, ransomware payments topped $400 million–more than four times the amount paid in 2019. Cyber criminals have found vulnerable targets in critical infrastructure, healthcare, financial services, education, and government sectors. These attacks typically work by encrypting data or programs on IT systems. The actors behind the attacks typically extort a ransom payment –often in the form of cryptocurrency–to decrypt the stolen information and restore user access. Organizations are often quick to pay the ransom because of the high financial, operational, and reputational cost of disruption of services.

In an effort to combat the financial infrastructures which facilitate ransomware payments, OFAC placed the currency exchange SUEX on the Specially Designated and Blocked Persons (SDN List.) SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants. Recent analysis shows that over 40 percent of SUEX’s known transaction history is associated with illicit actors. The designation means that financial institutions and other persons engaging in transactions with SUEX could expose themselves to primary or secondary sanctions and face enforcement action. This could test the effectiveness of U.S. sanctions in reducing attacks by complicating ransomware transactions. More likely, it will force cyber criminals onto platforms–like bitcoin–that are easier for law enforcement to track. In June, the Department of Justice was able to seize $2.3 million in bitcoin that was paid as ransom in the Colonial Pipeline incident.

The Treasury Department’s Advisory notes that OFAC has designated numerous cyber actors under its sanctions programs. The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) prohibit U.S. persons from engaging in transactions, directly or indirectly, with entities on OFAC’s sanction list. OFAC has the authority to impose civil penalties for sanctions violations even if violators did not know or have reason to know that the transaction was violating OFAC’s laws and regulations. To avoid sanctions risk, OFAC recommends implementing a risk-based compliance program to mitigate exposure to sanctions-related violations. The recommendation extends to companies engaged with ransomware attack victims, such as cyber insurers, digital forensics and incident response, and financial services involved in processing payments.

OFAC also outlined a number of mitigating factors they would consider in determining an enforcement response. These include taking steps to improve cybersecurity practices, such as those outlined in CISA’s September 2020 Ransomware Guide, and self-reporting ransomware attacks to the appropriate U.S. government agency. The Advisory explains that OFAC would be more likely to resolve the incident with a non-public response if the affected entity reports the incident in a proper and timely manner and cooperates with law enforcement.

Secretary Yellen signaled Treasury’s strong commitment to engaging with the whole of government response to ransomware by, “using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.” While the Treasury Department is clear in detailing its enforcement powers, the Advisory indicates the Department is more focused on disrupting criminals’ ability to profit, not penalizing ransomware victims.