Pay Now and Pay Later: The Perils of Ransomware Payments
On October 1, 2020, the Department of the Treasury's Office of Foreign Assets Control (OFAC) published an advisory reminding victims of ransomware attacks—and those working with victims—that facilitating payments to ransomware hackers may trigger enforcement actions by the US Government.
In recent years there has been a growing willingness to make ransom payments to cybercriminals who take computer systems and data hostage through a widely recognized form of malicious cybercrime known as "ransomware." With the onset of COVID-19 and the near-global migration to remote working conditions, this trend has increased to record levels. But despite increased attention to the threat of ransomware more generally, even many security professionals may be surprised to learn that companies involved in making such payments, directly or indirectly, can run afoul of US sanctions law. OFAC's advisory reminds financial institutions, cyber-insurance firms, and companies involved in forensics and incident response to think twice before facilitating ransomware payments.
US Sanctions Law
Economic sanctions have existed as a US foreign policy tool for over a century. US sanctions regulations are generally maintained and enforced by OFAC. Typically, they consist of a series of federal laws and regulatory regimes whose purpose is to impose sanctions on specific entities and persons, as well as foreign countries such as North Korea and Iran, for engaging in activities that are contrary to US foreign policy or national security objectives, such as international terrorism, narcotics trafficking, or cybercrime. OFAC considers sanctions violations to be a serious threat to national security and foreign relations. Consequently, persons and entities that violate US sanctions may face fines ranging up to $20 million, depending upon the offense, and prison sentences as long as 30 years. Critically, OFAC may impose fines for sanctions violations based on strict liability, meaning that a company may be held liable for violating US sanctions law even if it did not know or have reason to know its actions were prohibited.
Economic Sanctions on Ransomware Payments
OFAC has designated numerous malicious cyber actors, including those responsible for perpetuating ransomware attacks, as subject to US sanctions. US sanctions laws generally prohibit any transaction with sanctioned parties, even if the payment is being made under duress by, or in support of, a victim of a cyberattack. This means that individuals and entities engaged in or supporting ransomware payments, including processing related financial transactions on behalf of victims of ransomware attacks, must beware the legal consequences of engaging in prohibited or sanctionable conduct. For example, a US financial institution could face significant penalties for processing or otherwise assisting a ransomware payment to a sanctioned party.
Companies facing ransomware attacks might be tempted to seek permission from OFAC to make a payment under duress of a ransomware attack, but there is no guarantee such a license request would be granted, as making or facilitating any ransom payment to a sanctioned party is in direct contravention of US foreign policy. In fact, OFAC reviews license applications involving ransomware payments with a "presumption of denial." The bottom line is that for most potential victims, withholding ransomware payments may be the only means to avoid violations of US sanctions law.
OFAC's release of the advisory at a time when so many companies and stakeholders are under increased pressure to give in to ransomware demands raises more questions than answers:
- Should OFAC be alerted to an ongoing ransomware attack? The advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe sanctioned parties are involved.
- Should businesses include sanctions-related requirements in cyber incident-response policies? While most businesses maintain robust privacy and data breach policies, few will have built-in scenarios for responding to malicious cyber actors designated under US sanctions law.
- How should companies plan to effectively mitigate ransomware payments to sanctioned parties? OFAC encourages companies to develop an effective sanctions compliance program. However, the advisory provides little guidance as to how such programs should account for the rapid pace and high stakes involved in a largescale ransomware attack, as compared to flagging prohibited transactions during the regular course of business.
- Should financial institutions and cyber insurance firms pay more attention to cyber currency payments? Ransomware payments usually take the form of digital currency, such as Bitcoin. Financial and cyber-related institutions may need to consider whether their procedures for scrutinizing digital currency transactions for sanctions risks appropriately take into account ransomware payment scenarios.
For questions about US sanctions law, ransomware payments, or broader national security issues, please reach out to the authors or any of their colleagues in Arnold & Porter's National Security or White Collar Defense & Investigations practice groups.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.