On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”).  The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.

The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations.  However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies.  Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.

In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors.  As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.

Continued Opposition to Ransomware Payments

Covington previously observed that the October 2020 OFAC Advisory (the “2020 Advisory”) marked a departure from earlier, more circumspect U.S. government statements on ransomware payments, such as October 2019 FBI guidance, which noted that although the FBI opposes such payments, “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”  By contrast, in its 2020 Advisory, OFAC made clear its view that making ransomware payments encourages future ransomware attacks and, if such payments (and related services and facilitation) violate U.S. sanctions prohibitions, may expose payment participants to OFAC sanctions enforcement.

The Updated Advisory maintains that message and further emphasizes it, noting that “[t]he U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks,” again adding that making or facilitating such payments may also violate U.S. sanctions prohibitions.  The Updated Advisory also reiterates that, since penalties for U.S. sanctions violations may be imposed on a strict liability basis, companies involved in making such payments could be subject to sanctions enforcement even if they did not know and had no reason to know that a particular payment would violate U.S. sanctions prohibitions.

New Mitigating Factors:  Strong Cybersecurity and Engagement with Law Enforcement

The Updated Advisory is most significant for its discussion of the “mitigating factors” OFAC will consider in the event that making or facilitating a ransomware payment does violate OFAC sanctions prohibitions.

Strong Cybersecurity Practices

Consistent with longstanding general OFAC guidance, the 2020 Advisory explained that organizations involved in responding to ransomware attacks — like all organizations — should “implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” which should account for the possibility that ransomware payments may involve parties subject to sanctions.  OFAC explained that the existence of such a program was “a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).”

The Updated Advisory goes further and specifically identifies strong cybersecurity practices as an important mitigating factor for potential OFAC enforcement.  It specifies that “[m]eaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s [(“CISA”)] September 2020 Ransomware Guide,” — which provides ransomware best practices and recommendations from CISA and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) — “will be considered a significant mitigating factor in any OFAC enforcement response.”  This guidance is noteworthy, because it establishes a ransomware-specific mitigating factor not set forth in OFAC’s Economic Sanctions Enforcement Guidelines.

Notification and Cooperation with U.S. Government

The 2020 Advisory described as “significant mitigating factor[s]” both a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement,” and its “full and timely cooperation with law enforcement both during and after a ransomware attack.”

The Updated Advisory maintains that position, but further emphasizes the importance of prompt reporting to and ongoing cooperation with U.S. government agencies.  It explains that “the reporting of ransomware attacks to appropriate U.S. government agencies and the nature and extent of a subject person’s cooperation with OFAC, law enforcement, and other relevant agencies” would be significant mitigating factors in an OFAC enforcement matter.  Cooperation would include “providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible” during and after an attack.

The Updated Advisory also states that OFAC will consider a timely self-disclosure to law enforcement, CISA, the U.S. Department of the Treasury’s s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”), or “other relevant U.S. government agencies” to constitute a voluntary self-disclosure for mitigation purposes in an OFAC enforcement matter.  This portion of the guidance is broadly consistent with OFAC’s general Enforcement Guidelines, which state that “[n]otification of an apparent violation to another government agency (but not to OFAC) by a Subject Person, which is considered a voluntary self-disclosure by that agency, may be considered a voluntary self-disclosure by OFAC, based on a case-by-case assessment.”

Notably, both the mitigating factor concerning a ransomware victim’s cybersecurity posture (newly announced in the Updated Advisory) and the mitigating factor concerning a victim’s cooperation with law enforcement and other relevant agencies (announced in the 2020 Advisory and reiterated in the Updated Advisory) require evaluation of matters outside of OFAC’s traditional areas of expertise.  It is not clear from the Updated Advisory, for example, whether OFAC will itself attempt to determine whether a victim has adopted cybersecurity practices consistent with CISA’s Ransomware Guide, or if it will rely on other government agencies to make these assessments.  Similarly, although OFAC has long considered “the nature and extent of the Subject Person’s cooperation with OFAC” to be a mitigating factor in enforcement matters (see Part III.G of the Economic Sanctions Enforcement Guidelines), it is not yet clear how OFAC will assess the nature and extent of a victim’s cooperation with other agencies for purposes of determining whether OFAC mitigation credit is available, including whether OFAC will apply its own criteria, will instead use other established criteria relied on by other relevant agencies (such as the Department of Justice’s Export and Sanctions Enforcement Policy, the Justice Manual, or the joint Department of Justice/Department of Homeland Security Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities), or will rely on the other government agencies to make these assessments.

Sanctions Designation of Cryptocurrency Exchange

Also on September 21, 2021, OFAC for the first time designated for property-blocking sanctions a virtual currency exchange that facilitated ransomware transactions for ransomware actors.  The designated virtual currency exchange is SUEX OTC, S.R.O. (“SUEX OTC”), also known as “Successful Exchange.”  SUEX OTC was designated pursuant to Executive Order 13694 (as amended by Executive Order 13757), which authorizes the imposition of property-blocking sanctions against persons determined to have engaged in various cyber-enabled activities involving threats to U.S. national security, foreign policy, or the U.S. economy.  As a result of this designation, U.S. persons are prohibited from engaging in or facilitating virtually all transactions involving SUEX OTC, and the assets of SUEX OTC that are within the United States or the possession or control of U.S. persons are subject to blocking.  The same Executive Orders also authorize the imposition of sanctions against persons who materially assist, sponsor, or provide financial, material, or technological support for, or goods or services to or in support of, persons blocked pursuant to those authorities, such as SUEX OTC.

SUEX OTC is identified on the List of Specially Designated Nationals and Blocked Persons (“SDN List”) both according to its name and address, but also according to a series of digital currency addresses denominated in the Bitcoin, Ethereum, and Tether cryptocurrencies.

OFAC has previously designated other parties on the SDN List using their digital currency addresses.  In 2018, it designated two Iranian individuals who helped exchange cryptocurrency-denominated ransomware payments with Iranian fiat currency (rials) on behalf of other Iranian actors involved in the SamSam ransomware scheme, listing their digital currency addresses among other identifying information.  With the advent in 2018 of designations based on this type of identifying information, OFAC released FAQ guidance explaining that OFAC compliance obligations are the same regardless of whether a transaction is denominated in U.S. dollars or a cryptocurrency, and that it will be possible — and therefore, potentially expected in some circumstances — to screen for designated digital currency addresses on the SDN List.

Further Anticipated Guidance

Looking ahead, recent press reporting (Wall Street Journal, Washington Post) indicates that further related guidance — perhaps from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) — may be forthcoming later this year.  We expect that further guidance will likely include action on FinCEN’s proposed application of the travel rule to cryptocurrency transactions and additional anti-money laundering efforts to deter cryptocurrency-denominated payments in ransomware attacks.

Such additional guidance would be consistent with OFAC and FinCEN’s past practices on ransomware:  last year, in parallel with the 2020 OFAC Advisory, on October 1, 2020, FinCEN issued an advisory intended to assist financial institutions in identifying “red flags” for suspicious ransomware-related transactions.  The advisory also noted that consultants engaged in facilitating ransomware payments could be considered “money transmitters” under the Bank Secrecy Act, triggering additional anti-money laundering compliance obligations, including registration with FinCEN and establishment of an anti-money laundering compliance program.  FinCEN also issued 2019 guidance describing the manner in which cyber threat actors use cryptocurrencies to engage in a range of unlawful activities.

Conclusion

The Updated Advisory continues to make clear that OFAC strongly opposes making or facilitating ransomware payments and may initiate enforcement actions where such payments, or related services or facilitation, violate sanctions.  As a result, ransomware victims and those who assist them must remain attentive to U.S. sanctions compliance obligations.  At the same time, the Updated Advisory also demonstrates OFAC’s continued recognition that some organizations will nevertheless opt to proceed with such payments, and sets forth new guidance for how to minimize the impact of any resulting enforcement action.  However, it is not yet clear how, by which agencies, and under which standards compliance with certain guidance contained in the Updated Advisory will ultimately be evaluated.  Nevertheless, regardless of whether a ransomware victim ultimately chooses to make a ransom payment, the mitigating factors described in the Updated Advisory underscore the importance of preparation, including the development of a strong cybersecurity posture before an attack, and the value of timely reporting to and ongoing cooperation with government agencies after one occurs.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Read more about Ashden Fein
Show more Show less
Photo of Peter Flanagan Peter Flanagan

Peter Flanagan counsels clients on a broad range of compliance requirements affecting international trade and investment. These include most notably export controls, economic sanctions constraints, defense trade limitations, and the implications of related non-U.S. requirements. He also has experience in financial services regulation.…

Peter Flanagan counsels clients on a broad range of compliance requirements affecting international trade and investment. These include most notably export controls, economic sanctions constraints, defense trade limitations, and the implications of related non-U.S. requirements. He also has experience in financial services regulation.

Mr. Flanagan has advised leading companies in the oil and gas sector, pharmaceutical and medical technology companies, defense contractors, manufacturing entities, financial institutions and private equity firms, software and high-technology concerns, and university-affiliated laboratories. Consistently ranked as a top-tier practitioner, Mr. Flanagan has deep experience in assisting multinational clients with complex compliance, enforcement, and licensing matters before the key U.S. trade controls agencies, including the U.S. Departments of Treasury, Commerce, and State.

Read more about Peter Flanagan
Show more Show less
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Read more about Mike Nonaka
Show more Show less
Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Read more about Moriah Daugherty
Show more Show less