In the wake of one of the largest reported medical ransomware attacks in U.S. history, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues. Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.
Consistent with the U.S. government’s longstanding policy of encouraging private-public information exchange in combatting cybercrime, both advisories share common themes relating to the development of adequate risk-based compliance programs and the reporting of ransomware attacks and suspicious activity to authorities. The advisories highlight the role that companies regularly engaged with victims of ransomware – for example, cyber insurance companies (CICs), digital forensics and incident response companies (DFIRs), and financial services companies such as Money Services Businesses (MSBs) – have in combating ransomware attacks.
The OFAC advisory describes how U.S. economic sanctions can apply to ransomware payments, as covered in our earlier blog post. The advisory also offers guidance on OFAC’s compliance expectations and enforcement considerations relating to ransomware payments:
- Imposition of Sanctions. The advisory notes that OFAC will continue to designate ransomware attackers under its cyber-related sanctions program, and warns that it will continue to impose sanctions on “others who materially assist, sponsor, or provide financial, material or technological support” for such activities.
- Sanctions Compliance Programs. The advisory further encourages companies that engage with ransomware victims to implement a risk-based sanctions compliance program that accounts for the risk that a ransomware payment may involve a sanctions target.
- Enforcement Guidelines. In the event that a ransomware payment is later determined to have a sanctions nexus, OFAC will consider as significant mitigating factors a company’s “self-initiated, timely, and complete report” of a ransomware attack to law enforcement, and its “full and timely cooperation” with authorities during and after a ransomware attack.
- Licensing Policy. The advisory announces a policy that license applications involving ransomware payments to malicious cyber actors will be reviewed on a case-by-case basis with a presumption of denial. Because of this presumption and the length of time it takes for OFAC to review license applications, companies should carefully consider whether requesting a license to make a ransom payment to a party with a sanctions nexus would be a viable option in practice.
Expanding on a May 9, 2019 advisory concerning convertible virtual currencies (CVCs), the FinCEN advisory provides background information on ransomware attacks and the role of financial intermediaries in facilitating ransomware payments, which typically involve CVCs and anonymity-enhanced cryptocurrencies (AECs). Notably, the advisory warns that certain ransomware-related activities by CICs and DFIRs could constitute money transmission “[d]epending on the particular facts and circumstances,” thereby requiring such companies to register as a MSB with FinCEN and subjecting them to Bank Secrecy Act obligations.
The FinCEN advisory also reminds financial institutions of their regulatory obligations to file Suspicious Activity Reports and identifies a number of ransomware-related red flag indicators to assist in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks.
Civil liability under U.S. sanctions operates under strict liability, and a company that makes a ransom payment to a sanctioned attacker could be subject to severe monetary penalties. Moreover, U.S. authorities have, in a number of venues and guidance, repeatedly expressed an interest in information from the private sector regarding cyber threats. Given OFAC’s stated enforcement attention to ransomware payments and mitigation credit offered for engaging with U.S. authorities, companies facing a ransomware attack should carefully consider early engagement with authorities.
CICs, DFIRs, and other companies that regularly engage with ransomware victims should take particular notice of the advisories and implement risk-based sanctions compliance policies that address sanctions and AML risks when assisting ransomware victims. Certain CICs and DFIRs engaging in money transmission should assess potential obligations to register with FinCEN as a MSB.
 See NBC News, “Major hospital system hit with cyberattack, potentially largest in U.S. history” (Sept. 28, 2020), https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254.
 See Press Release, U.S. Dep’t of the Treasury, “Treasury Department Issues Ransomware Advisories to Increase Awareness and Thwart Attacks” (Oct. 1, 2020), https://home.treasury.gov/news/press-releases/sm1142.
 See “Ransomware and Sanctions Compliance: Considerations for Responses to Attacks” (Sept. 14, 2020), https://www.clearytradewatch.com/2020/09/ransomware-and-sanctions-compliance-considerations-for-responses-to-attacks/.
 FinCEN Advisory, FIN-2019-A003, “Advisory on Illicit Activity Involving Convertible Virtual Currency,” (May 9, 2019), https://www.fincen.gov/sites/default/files/advisory/2019-05-10/FinCEN Advisory CVC FINAL 508.pdf.
 The FinCEN advisory highlights that governmental entities as well as financial, educational, and healthcare institutions are increasingly the subject of ransomware attacks.