In early October, the United States Department of Treasury's Office of Foreign Assets Control (OFAC) issued an advisory, warning of the potential risk of sanctions to companies and individuals who pay ransomware payments. The advisory also extends to companies that facilitate ransomware payments on behalf of companies that are experiencing a ransomware attack, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response. The advisory strongly cautions companies victimized by ransomware and ransomware service providers to contemplate the risk of sanctions when devising a response plan.
Sanctions risk are present in ransomware attacks because hackers behind these attacks may often be sanctioned parties or acting on behalf of sanctioned parties or governments. In such cases, companies and individuals who pay ransomware payments may be unknowingly dealing with sanctioned parties and, because U.S. sanctions laws apply on a strict liability basis, would be liable for substantial penalties for such dealings. Advisories such as the one OFAC issued here often foreshadow an uptick in OFAC enforcement in a particular area.
Exacerbating these risks is the fact that ransomware attacks have become more prevalent in recent years, and have become more focused, sophisticated and costly. The OFAC's advisory cited a 147 percent annual increase in ransomware losses from 2018 to 2019. Even more alarming, a recent report shows that payment of ransomware attacks has risen from 45 percent in 2019 to 58 percent in early 20201. The rise in payments has emboldened the ransomware industry, and encourages future ransomware payment demands from malicious actors.
In a joint cybersecurity alert on October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), FBI and the Department of Health and Human Services issued a joint alert about a credible ransomware threat against 400 U.S. hospitals. And while ransomware attacks on large companies have made national headlines in recent months, many ransomware attacks are also carried out against small- to mid-sized businesses and local government agencies. These small- to mid-sized businesses and governments may be even more vulnerable to ransomware attacks, as they lack the resources to properly invest in cyber protection and prevention. Since the ransomware attacks are designed to block access to data or computer systems, smaller companies might be more inclined to quickly pay the ransomware request to gain access to their systems.
It is essential that all businesses understand that facilitating these payments may make them more susceptible to sanctions by providing financial support to individuals that have been designated as malicious cyber actors. Businesses should also be aware that payment does not guarantee that the victim will regain access to the stolen material. OFAC also strongly encourages businesses of all sizes to implement a strong, risk-based compliance program that will help mitigate and prevent exposure to ransomware- and sanctions-related violations. OFAC also asked all victims and parties involved with responding to a ransomware attack to contact OFAC immediately if they suspect that payment would involve a sanctions nexus.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.