The federal government has implemented a multi-prong strategy to deal with the problem. One prong of that strategy is to require private organizations to take more responsibility for preventing ransomware attacks from happening. To that end, in September 2021, the Office of Foreign Asset Control (“OFAC”) published new guidance on avoiding potential sanctions for paying ransoms to ransomware perpetrators.
Federal law generally prohibits U.S. persons, including public and private organizations, from engaging in transactions with entities or individuals on the Specially Designated Nationals and Blocked Persons List (“SDN List”). Federal law also prohibits transactions with individuals or entities that have sufficient nexus with individuals or entities on the SDN List. There can be significant penalties for transactions with individuals or entities on the SDN List. For example, in 2021 OFAC issued penalties totaling more than $20 million to domestic entities.
This is a problem for ransomware victims, because the same perpetrators of the ransomware attack may either be on the SDN List or have sufficient nexus with them to trigger penalties.
It has always been the case that a ransomware victim that chooses to make a ransomware payment to fraudsters ran the risk of violating OFAC rules. There is a good chance that fraudsters perpetrating ransomware fraud are either on, or have a nexus with, the SDN List. However, enforcement against ransomware victims has been mild, if it occurred at all.
That may start to change, however, now that OFAC has published new guidance specifying criteria OFAC will use to determine whether to penalize ransomware victims that choose to pay. OFAC will consider several factors in determining whether ransom payments to an individual or entity on the SDN List will be the basis for assessment of penalties. These factors include whether the organization:
- Complied with the Cybersecurity & Infrastructure Security Agency (“CISA”) ransomware prevention guide;
- Voluntarily informed law enforcement and relevant agencies of the ransom demand;
- Cooperated with law enforcement related to the ransom demand.
In addition, organizations can also request a license from OFAC to make a ransom payment to an entity on the SDN List. However, OFAC has stated that there is a “presumption of denial” to requests to pay entities on the SDN List.
The new OFAC guidance indicates that federal patience is wearing thin. The Colonial Pipeline attack likely accelerated the federal response to dealing with ransomware, because the incident was so disruptive. Organizations that experience a ransomware attack should consult with legal counsel about options in the event they consider making a ransomware payment.