On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here. The memo comes on the heels of increased regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.
The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment. The memo notes:
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).
The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied].