Ransomware victims are in the eye of the storm

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory on the sanctions risks associated with facilitating ransomware attacks. The advisory focuses on U.S. companies engaging with victims of ransomware to facilitate or process payments involving a sanctioned person or comprehensively sanctioned jurisdiction and highlights the potential sanctions risks they are facing.

Ransomware attacks

Ransomware is a form of malicious software designed to block access to a computer system or data while displaying a demand for payment in exchange for decrypting the information or restoring victims’ access to their systems or data. The ransom payment is typically requested in the form of cryptocurrencies, such as Bitcoin, to enable relative anonymization and evade the control of established financial institutions and law enforcement.

Over the past few years, ransomware attacks have become one of the most prominent cyberattacks utilized by malicious actors. according to the FBI's 2018 and 2019 Internet Crime Reports, cited in the OFAC's advisory, "there was a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019." It has widely been reported that ransomware attacks have increased even further during the Covid-19 pandemic due to the dramatic increase in online remote activity.

(Potential) civil liability for facilitating ransomware payments

The OFAC advisory was published against that background, of the sharp increase in ransomware attacks, and consequently, ransom payments. Given the concerns associated with such payments—which can be used to advance illicit aims—the advisory reemphasizes that U.S. individuals and companies are prohibited from engaging, directly or indirectly, in transactions involving sanctioned individuals and entities or comprehensively sanctioned jurisdiction, such as Cuba, Iran, and North Korea.

The advisory goes beyond repeating this general prohibition and clarifies that U.S. companies engaging with victims of ransomware to facilitate or process prohibited payments could face sanctions risks, too. The OFAC may impose civil liability of such companies on a strict liability basis, that is, regardless of whether they knew—or had a reason to know—they were engaging in prohibited payments.

While the advisory targets primarily U.S. companies, it notes that non-U.S. companies engaging in transactions that would cause a U.S. company to violate U.S. sanctions laws may face enforcement risk as well. The same holds for U.S. companies facilitating actions of non-U.S. persons in an effort to avoid U.S. sanctions regulations.

Safe harbor guidelines

The advisory introduces safe harbor guidelines that highlight what companies engaging with victims of ransomware attacks can do to reduce their enforcement risks. Those include three main actions. First, companies should implement risk-based compliance programs. The advisory emphasizes that those programs should specifically account for the risk that a ransom payment may involve sanctioned individuals and entities. Second, companies should initiate a report of the ransomware attack to law enforcement bodies, such as the FBI, who may assist in identifying the malicious actors behind the attack. Third, the OFAC puts a special emphasis on a "company’s full and timely cooperation with law enforcement both during and after a ransomware attack" and states that it would consider such cooperation to be a "significant mitigating factor" when determining the enforcement action in the event of a sanctions violation.

Potential implications of the advisory

At the general level, the advisory reflects OFAC's strict attitude regarding the enforcement of violations related to ransomware payments. While the advisory does not include any actual change to existing laws, as many experts believe, it signals an increasing willingness to enforce sanctions on such payments and "makes clear that victims of ransomware, and the organizations that assist them, must establish processes to comply with OFAC sanctions or risk the consequences."

At the practical level, however, the implications of the advisory are not entirely clear. One of the most dramatic statements in this advisory is that it is telling companies that they are not allowed to facilitate ransomware payments involving sanctioned individuals or entities. This statement seems rather odd because, in many cases, cyber investigation companies and law enforcement bodies are unable to identify the malicious actors who are responsible for the ransomware attacks. Without identifying the malicious actors, it would not be possible to determine whether the ransom payment violates any sanctions program.

From the perspective of cybersecurity companies, the advisory imposes substantial uncertainty. The advisory notes that "facilitating" prohibited transactions on behalf of victims is prohibited, but does not explain what would qualify as facilitating. It is therefore unclear whether and how companies involved in digital forensics and incident response can assist their clients with ransomware attacks.

Ultimately, the advisory is likely to change the way cybersecurity companies handle ransomware attacks. The latter would have to reevaluate the services they are offering and put a special emphasis on cooperating with law enforcement bodies. The advisory may affect the malicious actors, too, who may come up with creative ways to receive the ransom payments, for example, through a seemingly legitimate bank account, rather than digital wallets.

Dr. Nimrod Kozlovski is the Head of Tech & Regulation at Herzog Fox & Neeman law firm. The article was written with the help of Ido Sade, an intern at Herzog Fox & Neeman.