The U.S. Department of Treasury issued a pair of advisories aimed at guiding U.S. individuals and businesses’ responses to ransomware scams and attacks, which continue to increase in frequency, size, and scope.
On October 1, the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. This advisory speaks to both companies who find themselves the victims of ransomware attacks and businesses that facilitate payments to cybercriminals, cautioning both groups that they could face regulatory enforcement efforts and civil penalties if they make payments to designated bad actors.
The advisory also includes an alarming statistic from the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Report. During this period there was a 37% increase in reported ransomware cases and a 147% annual increase in associated losses from 2018 to 2019.
Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC Regulations
The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) prohibit U.S. persons from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons and those covered comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
U.S. individuals and companies may face civil liability for making payments, either directly or indirectly, to sanctioned entities. These penalties are based on strict liability, meaning that a company may be held civilly liable even if it did not know or have reason to know that it was engaging in a transaction with a person that is prohibited under OFAC sanctions laws.
OFAC’s Economic Sanctions Enforcement Guidelines provide additional information regarding OFAC’s enforcement of U.S. economic sanctions, including the factors that OFAC generally considers when determining an appropriate response to an apparent violation.
The OFAC advisory encourages victims of ransomware attacks and financial institutions who engage with such victims to report the attack and cooperate with law enforcement. OFAC views such cooperation as a mitigating factor in any potential sanctions enforcement, so long as it is “self-initiated, timely, and complete.” The existence, nature, and adequacy of a sanctions compliance program is another mitigating factor that may help reduce or eliminate civil sanctions liability.
The OFAC advisory signals a hardline approach, making it clear that exigent circumstances do not relieve victims of their sanctions compliance obligations. Although the OFAC advisory condemns ransomware payments, it has not yet brought enforcement actions against victims of such attacks.
The advisory encourages financial institutions and other companies to implement risk-based compliance programs to mitigate exposure to sanctions-related violations. This advice also applies to companies that engage with victims of ransomware attacks, such as those providing cyber insurance, digital forensics and incident response and financial services that may involve processing ransom payments including depository institutions and money services business.
Regulatory Obligations under FinCEN
Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under the Financial Crimes Enforcement Network (FinCEN). On October 1, FinCEN issued its Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments.
The advisory notes the rise, severity and sophistication of ransomware attacks across multiple sectors including governmental entities, financial, educational, and healthcare institutions. This guidance notes the increasing sophistication of ransomware operations, including:
- Big Game Hunting Schemes: The selective targeting of larger enterprises with demands for bigger payouts
- Formation of Ransomware Criminals Partnerships: Cybercriminals now share resources to enhance the effectiveness of attacks, including ransomware exploit kits with ready-made malicious code and tools
- “Double Extortion” Schemes: Where sensitive data is removed from targeted networks, and remaining system files are then encrypted, with the added threat of publishing or selling the stolen sensitive data if the ransom is not paid
- Use of Anonymity-Enhanced Cryptocurrencies (AECs): Increasingly requiring victims to pay in AECs that reduce the transparency of financial flows
- Use of “Fileless” Ransomware: Malicious code is written into the computer’s memory rather than a file on the hard drive, making it harder to detect and prevent
FinCEN’s advisory also identified several red flag indicators of ransomware-related activity to help institutions detect, prevent, and report suspicious transactions associated with ransomware attacks.
Although the advisory makes clear that no single financial red flag indicator is indicative of illicit or suspicious activity, financial institutions should consider the relevant facts and circumstances of each transaction in keeping with their risk-based compliance programs. A few examples of red flag indicators include:
- IT enterprise activity connected to cyber indicators that have been associated with possible ransomware activity or cyber threat actors known to perpetrate ransomware schemes.
- A customer shows limited knowledge of convertible virtual currency (CVC) during onboarding or via other interactions with the financial institution, yet inquires about or purchase CVC in large or rushed amounts, particularly if outside the company’s normal business practice.
- A customer uses a CVC exchanger or foreign-based money service business in a high-risk jurisdiction lacking or known to have inadequate anti-money laundering/combating financing of terrorism controls.
In light of these advisories, companies should consider incorporating this guidance into their incident response plans and ensuring that any response to a ransomware attack is in compliance with all applicable laws. Companies should also carefully review each of their identified supporting vendor partners, providing cyber insurance coverage, digital forensics and incident response, and financial services whom may be responsible for processing ransom payments including depository institutions and money services business. Companies should ensure their response plan sets forth the appropriate guardrails to manage all incident response activity in a compliant manner.
October is National Cybersecurity Awareness Month. Please join Adams and Reese’s Privacy, Cybersecurity and Data Management team for Cybersecurity Hour to get an insider’s look at how in-house counsel and leading professionals are managing the risk of ransomware attacks and other cybersecurity incidents. More information on the weekly, hour-long talks can be found here.