On Sept. 21 the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory highlighting the possible sanctions risks companies face associated with ransomware payments in connection with malicious cyber-enabled activities.
OFAC also designated SUEX, a virtual currency exchange, as a Specially Designated National and Blocked Person (SDN) under its cyber-related sanctions program. As a result of this designation, U.S. persons are now generally prohibited from engaging in transactions involving SUEX (including using the exchange to make ransomware payments), financial institutions and other persons that engage in certain transactions involving SUEX may themselves be sanctioned or subject to a civil or criminal enforcement action, and any SUEX property or interests in property subject to U.S. jurisdiction is blocked.
This is significant because it marks the first designation of a virtual currency exchange. OFAC identifies these exchanges as a critical element of the ransomware ecosystem, as virtual currency is the principal means of facilitating ransomware payments.
Both actions underscore the full government effort to combat the recent increase in ransomware attacks and a correlative expectation that companies will adopt proactive measures to reduce the likelihood of a ransomware attack.
Updated OFAC Advisory
The updated advisory supersedes an earlier OFAC guidance from Oct. 1, 2020. Substantively, the updated advisory is not a significant change to the past guidance. For example, both identify the prohibitions on and possible penalties for engaging in a transaction involving a sanctioned party or a comprehensively sanctioned country (Cuba, Iran, Crimea Region of Ukraine, North Korea, Syria). Both also recommend that a company report a ransomware attack and any subsequent ransom payment to law enforcement as soon as possible, and fully cooperate with law enforcement during and after a ransomware attack.
However, the updated guidance is notable for three reasons— it identifies “mitigating factors;" includes the first designation of a virtual currency platform; and it highlights risks faced by entities that facilitate ransomware payments and companies that may be considering making payments.
The updated advisory identifies actions a company can take that OFAC will consider “mitigating factors” in a subsequent enforcement action, increasing the likelihood of resolving apparent violations involving ransomware attacks with a non-public response (i.e., a no action letter or a cautionary letter).
These actions include:
- Implementing a risk-based compliance program to mitigate exposure to sanctions-related violations and to account for the risk that a ransomware payment may involve a sanctioned party or a comprehensively sanctioned country or territory (Cuba, Iran, Crimea Region of Ukraine, North Korea, Syria).
- Adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide, to reduce the risk of extortion by a sanctioned actor. These could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols.
- Reporting ransomware attacks to appropriate U.S. government agencies as soon as possible, and cooperating fully with OFAC and law enforcement, both during and after a ransomware attack.
SUEX Designation Is a Warning
The updated advisory includes the first designation of a virtual currency platform. SUEX was designated pursuant to EO 13694 for providing material support to the threat posed by criminal ransomware actors. Treasury Secretary Janet Yellen said the government is “committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attack[s].”
For now, OFAC’s action does not directly impact broader cryptocurrency exchanges, but SUEX’s designation should serve as a warning to other virtual currency platforms and encourage them to take a look at their practices to ensure they are not facilitating payments to bad actors.
Risks Are Highlighted
The designation of SUEX, coupled with the updated guidance, highlights the risks faced by entities that facilitate ransomware payments and companies that may be considering making such payments.
The action against SUEX reveals that even third-party consultants who negotiate with cyber-attackers and facilitate payment of ransoms could be subject to civil or criminal penalties.
The updated guidance emphasizes that civil penalties are based on strict liability and can result in a range of enforcement responses, from OFAC’s issuance of a private no action or cautionary letter to the public imposition of civil monetary penalties (currently $311,562 per transaction or twice the value of the underlying transaction).
With the increasing frequency of ransomware attacks, many companies will be put in the difficult position of analyzing the risks of paying ransom. OFAC’s updated advisory makes clear that the U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands, and instead recommends strengthening defensive and resilience measures to prevent and protect against ransomware attacks.
However, the mitigating factors cited in the updated advisory suggest that there are many proactive actions a company can take to both mitigate the risk of a ransomware attack in the first instance, or reduce the likelihood of an OFAC enforcement action in the case of a ransomware attack.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owner.
Rachel K. Alpert is co-chair of Jenner & Block’s National Security, Sanctions, and Export Controls practice. She served seven years with the State Department Office of the Legal Adviser, and now counsels clients on a range of issues, including trade sanctions compliance, supply chain and human rights accountability, and CFIUS matters.
Shoba Pillay is a partner in Jenner & Block’s Data Privacy and Cybersecurity practice and the National Security, Sanctions, and Export Controls practice. She previously served in the U.S. Attorney Office’s National Security and Cybercrime Section.
Emily A. Merrifield is an associate in Jenner & Block’s Litigation department.