Skip to main content
Enforcement Edge
October 6, 2021

OFAC Imposes Sanctions on Crypto Exchange Over Ransomware Payments, Warns Businesses on Sanction Risks

Enforcement Edge: Shining Light on Government Enforcement

On September 21, 2021, the US Department of the Treasury announced that it would enforce sanctions laws against cryptocurrency exchanges that facilitate ransomware payments, as part of the Department’s larger effort to combat the rising tide of ransomware. Ransomware attacks have rapidly increased in scale, sophistication, and frequency: in 2020, ransomware payments reached more than $400 million and were made almost exclusively in cryptocurrency. The recent Colonial Pipeline ransomware attack—which led to substantial disruption in US fuel supply—underscores the emerging nature of threats from cybersecurity attacks. Virtual currency exchanges are critical nodes in the cryptocurrency ecosystem, and recent Treasury actions focus on such exchanges as a way to combat ransomware attacks.

For the first time, Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on a virtual currency exchange, SUEX OTC, S.R.O. (SUEX), for its facilitation of ransomware payments. According to the Treasury, SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants, and more than 40% of SUEX’s known transaction history is associated with illicit actors. OFAC designated SUEX pursuant to Executive Order 13694, which permits sanctions against “persons engaging in significant malicious cyber-enabled activities.” As a result, all of SUEX’s property and property interests subject to US jurisdiction are blocked, and US persons are prohibited from engaging in transactions with SUEX. Moreover, financial institutions and persons engaged in certain transactions or activities with SUEX may expose themselves to sanctions or an enforcement action, even if they are not directly involved in ransomware payments.

In conjunction with the SUEX announcement, OFAC released an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The updated Advisory emphasizes the US government’s policy strongly discouraging payment of ransomware or extortion demands, as well as the importance of robust cybersecurity practices and of reporting to and cooperating with relevant US government agencies in the event of a ransomware attack. The Advisory also states that US persons may be penalized for making payments to a sanctioned actor, even if they did not know or have reason to know that it was engaging in a transaction with a sanctioned actor. As background, OFAC maintains a list of Specially Designated Nationals and Blocked Persons, other blocked persons, and countries or regions with whom US persons are generally prohibited from doing business (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). The Advisory essentially makes explicit that if a US person makes a ransomware payment, the proceeds of which will go to a sanctioned actor (including, now, SUEX), that payment may constitute doing business with a sanctioned party in violation of OFAC rules.

Additionally, the updated Advisory provides more guidance about how financial institutions and other companies can implement a robust sanctions compliance program, which is a factor OFAC may consider when determining the appropriate enforcement response. In particular, companies can reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide. Companies can also reduce their risk of extortion by “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols.”

The updated Advisory outlines more details about appropriate reporting of a ransomware attack, another potentially significant mitigating factor in OFAC enforcement decisions. A demand for ransom after such an attack should be self-disclosed to law enforcement or relevant US government agencies, such as CISA or the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). Disclosure should be made as soon as possible after discovery of an attack. Companies should cooperate with the government by providing all relevant information such as technical details, ransom payment demands, and ransom payment instructions. OFAC is more likely to resolve apparent violations involving ransomware attacks with a non-public response, such as a No Action Letter or a Cautionary Letter, if the company took the mitigating steps described in the Advisory, and in particular if the company promptly reported the attack to law enforcement and provided ongoing cooperation.

Companies face a complex calculus when determining whether to pay ransoms. There is an ever-present risk that cybercriminals may simply accept payment and fail to restore the targeted data. Moreover, paying a ransom does not prevent a cybercriminal from hitting the same victim twice and in fact, may encourage repeat violations. Treasury’s sanctioning of SUEX and OFAC’s updated guidance remind companies of the real risks that accompany ransom payments. Companies, of course, will consider the realities that a ransomware attack followed by non-payment can cause immediate financial, reputational, and societal harms. While there is no single, simple solution to this thorny problem, companies can put themselves in a more tenable position by implementing robust cybersecurity programs to prevent ransomware in the first place and investing in sanctions compliance procedures to mitigate risks should they decide to pay bad actors to free their business data.

If you want to know more or have questions about implementing cybersecurity or sanctions compliance programs, please reach out to any of the authors or your regular Arnold & Porter contact.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.