We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
23 October 2020
Why OFAC's ransomware advisory matters
OFAC names specific ransomware and malware, but does not clearly make them off limits
OFAC knows how to make legal links to SDNs, but has not done so here
What should cyber-ransomed companies (or their incident response providers or insurers) do?
Who you gonna call?
On 1 October 2020 the US Department of Treasury's Office of Foreign Assets Control (OFAC) issued an advisory highlighting sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyberattacks.
Relatedly, the US Department of Treasury's Financial Crimes Enforcement Network (FinCEN) issued guidance alerting financial institutions to their role in processing ransomware and associated payments, red flags and reporting information.
Included on OFAC's Specially Designated Nationals and Blocked Persons (SDN) List are a number of 'malicious cyber actors' designated pursuant to OFAC's cyber-related or North Korea sanctions. Under these programmes, making an SDN-related ransom payment, directly or indirectly facilitating such a payment or even making related insurance or reinsurance claims payments is likely a prohibited dealing in property (including services) in which the SDN has an interest if conducted by a US person or otherwise subject to US jurisdiction. Civil penalties per violation can be up to $307,922 or twice the value of the payment at issue (whichever is higher); criminal penalties for knowing of violations can be up to $1 million and 20 years' imprisonment.
Accordingly, US individuals and entities – including ransomware victims, financial institutions, incident response companies and insurers that process ransomware-related payments – wherever located, should avoid engaging in transactions involving SDNs in the ransomware context. Transactions could include directly or indirectly receiving customer funds, exchanging them for convertible virtual currency, transferring them to the attacker's accounts or making the ransom victim whole through an insurance payment relating to a ransom payment.
In addition, any foreign individual or entity that sends a ransomware-related payment involving an SDN through the United States can also be subject to civil and criminal penalties.
In its advisory, OFAC identifies the following relevant ransomware and malware and their SDN connections:
Although OFAC provides this list of ransomware-related SDNs, the advisory raises more questions than it answers with respect to the specific ransomware and malware that it identifies. Left unanswered is whether all cyber ransom attacks using the various ransomware and malware identified are to be assumed to involve the associated SDN, especially when there is evidence that other entities can use the same ransomware and malware. The advisory itself, in noting that the Dridex malware was not just developed but was distributed by the SDN Evil Corp, makes clear that not all ransomware attacks using these malware are attacks in which the SDN has an interest.
A tried and true way to legally link ransomware like WannaCry 2.0 to an SDN like Lazarus Group is for OFAC to amend the SDN List to add the new name to the SDN's identifying information. Lazarus Group, for example, already has 11 listed 'weak aliases', including Guardians of Peace and The New Romantic Cyber Army Team, against which millions of transactions every day worldwide are screened by countless financial institutions and other businesses. OFAC could add WannaCry 2.0 to that list to make it clear that any transactions using WannaCry 2.0 should be assumed to include an interest of Lazarus Group.
Although the SDN List includes the SDNs named above, OFAC has not seen fit to add any of the listed ransomware or malware that it has associated with these parties to the SDN List, even as weak aliases for the relevant SDNs. The one possible exception is that Dridex Gang is listed as an alias for SDN Evil Corp, but the word 'Gang' in Dridex Gang suggests that it is a separate entity and not the malware. Thus, the presence of the related ransomware or malware – whether Cryptolocker, SamSam, WannaCry 2.0 or Dridex – does not mean that an SDN necessarily has any interest in the related transactions.
Often the only thing that a ransomware target or its incident response providers or insurers will know about its attacker are:
All of this information should always be run against the SDN List. OFAC occasionally provides identifying email addresses and digital currency addresses on the SDN List and may add specific ransomware and malware in the future. A positive hit should stop payment of any ransom before an interest of the relevant SDN can clearly be ruled out.
If there are no SDN List hits and the only link to a possible sanctions nexus is the use of one of the four ransomwares or malwares listed in OFAC's advisory, there is little guidance in the advisory regarding how to proceed. However, the advisory does provide guidance on how to ensure that the possibility and severity of a subsequent OFAC enforcement action, were one to be considered by OFAC, would be significantly mitigated.
OFAC will consider a company's "self-initiated, timely, and complete report of a ransomware attack to law enforcement" to be a significant mitigating factor if an OFAC enforcement investigation is initiated and an SDN interest is subsequently determined to have been present. OFAC will also consider a company's "full and timely cooperation with law enforcement both during and after a ransomware attack" as a significant mitigating factor. OFAC's instruction is loud and clear:
With respect to contacting, cooperating with and follow-up reporting to law enforcement, the advisory provides seven points of contact. It would be wonderful if the suggested outreach to the listed US government offices would result in a swift, coordinated and helpful response assisting a ransomware victim in determining whether it is dealing with a sanctioned entity. Unfortunately, these qualities are not always the hallmarks of government offices labouring under bureaucratic and resource limitations. Asking a victim of ransomware – while its servers are frozen, its communication system is hobbled and its customers are demanding answers – to consider seeking guidance from up to seven different government offices seems a bit much.
It is not OFAC's fault that there is an overabundance of enforcement offices jumping at the chance to help ransomware victims. However, both the government and the ransomware victims would probably be better served if there was one point office that could coordinate for the government and advise the victim with one voice.
For the record, below are all seven contacts that the advisory suggests:
OFAC's advisory generally condemns ransomware payments, warning that such payments will embolden actors to engage in future cyberattacks, but stops short of stating that OFAC considers all ransom payments associated with the ransomware and malware that it identifies (ie, Cryptolocker, SamSam, WannaCry 2.0 or Dridex) to be prohibited payments in which an SDN has an interest. The advisory unfortunately does not offer guidance on how to connect the dots between a particular ransomware attack and whether a sanctioned party is behind it. However, it does make clear that early and cooperative contact with law enforcement, most preferably before a ransom is paid, is essential to lowering a company's risk. As such, companies that may be comfortable subsequently filing a report on the ransomware attack with an enforcement office should give that option serious consideration.
For further information on this topic please contact Matthew Tuchband, Kay C Georgi or Jessica DiPietro at Arent Fox LLP's Washington DC office by telephone (+1 202 857 6000) or email (email@example.com, firstname.lastname@example.org or email@example.com). Alternatively, contact Marwa M Hassoun at Arent Fox LLP's Los Angeles office by telephone (+1 213 629 7400) or email (firstname.lastname@example.org). The Arent Fox LLP website can be accessed at www.arentfox.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.