Treasury Actions to Counter Ransomware

October.12.2021

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced several actions focused on disrupting criminal digital finance infrastructure, including virtual currency exchanges, responsible for laundering cyberattack ransoms, and encouraging incident and ransomware payment reporting to U.S. authorities.^[1] OFAC issued an updated advisory on potential sanctions risks associated with facilitating ransomware payments (the “Advisory”). OFAC also added Russia-based cryptocurrency exchange Suex.io to its Specially Designated Nationals and Blocked Persons List (the “SDN List”). This is the first cryptocurrency exchange to be added to the SDN List. Treasury’s actions aim to advance the U.S. government’s broader counter-ransomware strategy. Below we discuss several practical sanctions risk mitigation strategies for companies in light of OFAC’s recent actions.

OFAC Updated Ransomware Advisory

Sanctions Risks

The Advisory highlights the sanctions risks associated with making and facilitating ransomware payments in the cyber context. The Advisory updates and supersedes OFAC’s prior advisory on the same topic issued on October 1, 2020. Persons determined to facilitate ransomware payments may violate OFAC regulations if the payments involve, directly or indirectly, targets of U.S. sanctions. U.S. persons are generally forbidden to engage, directly or indirectly, in transactions involving sanctions targets, including SDNs and other blocked persons, and their 50%-or-more owned affiliates, as well as persons located, organized or residing in comprehensively sanctioned jurisdictions. Non-U.S. persons are prohibited from causing a U.S. person to violate any sanctions authorized by the International Emergency Economic Powers Act, as amended. U.S. persons, wherever located, are also generally prohibited from facilitating non-U.S. persons’ actions that could not be directly performed by U.S. persons due to U.S. sanctions regulations.

The Advisory emphasizes that OFAC continues to strongly discourage payment of ransom in connection with cyberattacks and that it will continue to impose sanctions on persons who materially assist, sponsor, or provide financial, material, or technological support for ransomware activities. The U.S. Department of Justice may also bring criminal charges in connection with ransomware schemes.^[2] As noted in the Advisory and the 2020 advisory, OFAC will review license applications involving ransomware payments resulting from cyberattacks on a case-by-case basis with a presumption of denial.

Mitigating Factors

Most notably, the Advisory includes steps companies can take to mitigate the sanctions enforcement risks associated with ransomware payments. It specifies that OFAC will consider the following actions by a company to be mitigating factors in any OFAC enforcement action:

Adopting or improving cybersecurity practices to reduce the risk of cyber extortion;
Self-initiated, timely, and complete reporting of ransomware attacks to the U.S. government (which OFAC will also consider a voluntary self-disclosure); and
Cooperation with OFAC, law enforcement, and other relevant agencies.

In addition, the Advisory emphasizes the importance of a risk-based sanctions compliance program. In particular, companies that engage with victims of ransomware – including those that provide cyber insurance, digital forensics and incident responses, and financial services that may involve processing ransom payments – should account in their policies for the risk that a ransomware payment may involve a sanctions target.

Designation of Digital Currency Exchange for Complicit Financial Services

For the first time, OFAC designated a virtual currency exchange, Suex OTC, S.R.O. (a.k.a. “Successful Exchange,” “Suex”) for facilitating financial transactions for ransomware actors (involving illicit proceeds from at least eight ransomware variants).^[3] Suex was designated pursuant to Executive Order 13,694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” As a result of the designation, all of Suex’s property and interests in property subject to U.S. jurisdiction are blocked. According to the U.S. government’s analysis, more than 40 percent of the known transactions on Suex were associated with illicit actors. OFAC also added a number of Bitcoin, Ether, and Tether digital wallets addresses associated with Suex to the SDN List.

Practical Sanctions Risk Mitigation Strategies

Be proactive. The government recommends focusing on strengthening technical defensive and resilience measures to prevent and protect against ransomware attacks. Specifically, OFAC recommends measures including “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.”
Contact U.S. authorities. When a company is a victim of a cyberattack and related ransom demand that may have a sanctions nexus, the single most important action a company can take to mitigate its sanctions risk is to notify U.S. authorities, including law enforcement, OFAC and, as appropriate, the Cybersecurity and Infrastructure Security Agency or the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection as soon as possible, providing as many details as possible.
Conduct due diligence before making any ransomware payments. While the U.S. government strongly discourages companies facing ransomware demands to pay the ransom, sometimes a victim believes it has no choice but to pay to avoid losing its data or having it exposed. The latest Treasury actions make clear the importance of thorough counterparty due diligence and screening in connection with making any ransomware payments, in order to limit the victim’s potential sanctions exposure. A company contemplating using a ransom negotiator must understand the negotiator’s processes for investigating the potential sanctions connections of the illicit actor seeking the ransom. For example, does the negotiator conduct forensic analysis by analyzing the digital footprint of the threat actor, including the cryptocurrency wallet address to which the funds are being sent? Additionally, the victim should obtain evidence of the ransom negotiator’s diligence processes and conclusion that, to the best of the negotiator’s knowledge after investigation, the party demanding the ransom is not a sanctioned party.
Virtual currency exchanges must implement effective anti-money laundering programs. OFAC’s designation of Suex demonstrates the sanctions risks for virtual currency exchanges of failing to take adequate measures to prevent the use of the exchange by illicit actors to launder their cyberattack ransoms.

^[1] Ransomware is a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or information technology systems to extort payments from victims in exchange for a decryption key to restore victims’ access to their systems or data. Where the victim’s data is also exfiltrated, the illicit actors generally promise to delete the exfiltrated data in exchange for payment of the ransom.

^[2] For example, in 2019, when OFAC designated Maksim Yakubets and Igor Turashev for development and distribution of malware, the United States (through the Departments of Justice and State) and the UK also charged them in connection with a decade-long cybercrime scheme. In 2021, the U.S. Department of Justice charged three North Korean programmers with participating in a criminal conspiracy involving cyberattacks, extortion of money and cryptocurrency, malware applications, and a fraudulent blockchain platform. OFAC previously designated one of the individuals under its North Korea-related sanction program in 2018.

^[3] OFAC has previously blocked numerous cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. For example, in 2016, OFAC designated Evgeniy Mikhailovich Bogachev, developer of a ransomware variant known as Cryptolocker, and in 2018, OFAC designated two Iran-based financial facilitators of malicious cyber activity relating to SamSam ransomware.

Authors

Harry Clark Partner, International Trade and Investment, Mergers & Acquisitions

Washington, D.C.

See my bio

D:+1 202 339 8499
E: [email protected]

Practice:

Technology & Innovation Sector
International Trade and Investment
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Harry Clark Partner

Washington, D.C.

Harry is experienced in areas such as CFIUS/Exon-Florio examinations of foreign investment, military and “dual use” export control regulations (ITAR/EAR), economic sanctions administered by the U.S. Treasury Department (OFAC), customs regulations, the Foreign Corrupt Practices Act, anti-money laundering rules, anti-boycott requirements and defense industrial security requirements. He executes internal corporate investigations regarding trade and investment rules and advises on such rules in the context of corporate transactions.

Additionally, Harry has extensive experience with government contracting matters. His government contracting work has included, for example, design and implementation of U.S. Defense Department renewable energy projects. He also represents broad industry coalitions on major trade litigations and international negotiations. His experience in these areas includes a leading role in what is often considered the largest-ever international trade dispute: the controversy regarding unfair softwood lumber imports from Canada. It has involved myriad administrative proceedings before federal agencies, NAFTA panel appeals, WTO dispute proceedings, judicial proceedings and international settlement agreements.

Harry has represented a coalition of major U.S. oil companies in antidumping and countervailing duty litigation. As a related matter, he pursues policy issues with congressional and executive branch officials and advises on international trade rules (e.g., GATT, WTO agreements and NAFTA).

Chambers 2022 recognizes Harry as a leader in the field of export controls and economic sanctions (Chambers Global and Chambers USA), as well as CFIUS (Chambers USA). Previous editions have also recognized Harry’s achievements regarding his work related to the Foreign Corrupt Practices Act. Clients note that Harry provides “accurate, straightforward guidance incredibly efficiently” and “he has an ability to translate complex legal requirements and rules into business-friendly jargon.”

Jeanine P. McGuinness Partner, International Trade and Investment, FCPA & Anti–Corruption

Washington, D.C.

See my bio

D:+1 202 339 8543
E: [email protected]

Practice:

International Trade and Investment
FCPA & Anti–Corruption
Anti‐Money Laundering and Bank Secrecy Act
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jeanine P. McGuinness Partner

Washington, D.C.

Jeanine’s clients include major U.S. and foreign financial institutions, and pharmaceutical, technology, telecommunications, energy, and natural resources companies.

Examples of Jeanine’s experience include:

Represents clients in preparing voluntary self-disclosures, administrative subpoena responses and license applications, and represents companies in connection with enforcement actions by the Treasury Department’s Office of Foreign Assets Control (OFAC)
Provides policy and compliance advice to clients affected by frequent changes in U.S. sanctions, including sanctions targeting Iran, Cuba, and Russia/Ukraine
Assists foreign purchasers of U.S. companies in national security reviews, including navigating the CFIUS process, through preparation of notices, meetings with CFIUS member agencies, advising on follow-on investigations, and negotiating and implementing mitigation agreements
Assists clients in developing and updating economic sanctions, anti-money laundering, and anti-corruption compliance policies and procedures
Represents financial institutions in connection with U.S. federal and state enforcement actions regarding compliance with U.S. anti-money laundering laws and regulations
Represents lenders, underwriters, borrowers, and issuers in international lending and capital markets transactions regarding sanctions, anti-corruption, and anti-money laundering issues
Advises a U.S. trade association and its member banks regarding U.S. sanctions, anti-corruption, and anti-money laundering issues in lending transactions, and prepares guidance for the industry on these matters
Advises financial institutions on the application of U.S. anti-money laundering regulations, with specific emphasis on customer identification program (CIP)/know your customer (KYC)/customer due diligence (CDD) requirements and suspicious activity reporting requirements
Regularly advises private equity and hedge funds regarding compliance with U.S. anti-money laundering and sanctions laws and regulations, including with respect to appropriate provisions in subscription materials and enhanced due diligence on high-risk investors
Advises clients regarding sanctions-related inquiries from the Securities and Exchange Commission (SEC) and state agencies implementing divestment laws and assists clients in preparing sanctions-related disclosure for inclusion in annual reports to the SEC

Jeanine is ranked in both the CFIUS Experts and Export Controls & Economic Sanctions categories by Chambers USA in 2019, 2020, 2021, and 2022. An interviewee had this to say of their experience working with Jeanine, “I am continuously impressed by her extensive knowledge, excellent communication skills and her ability to wrap her subject matter expertise around the details of the matter and then drive conclusions or recommendations for next steps."

Elizabeth Zane Partner, International Trade and Investment, Mergers & Acquisitions

Washington, D.C.

See my bio

D:+1 202 339 8532
E: [email protected]

Practice:

International Trade and Investment
Mergers & Acquisitions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Elizabeth Zane Partner

Washington, D.C.

Elizabeth's experience includes work on internal investigations, voluntary disclosures, commodity jurisdiction requests and developing and implementing compliance programs. She also advises clients on government contracting matters.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Kathryn "Katy" de Visscher Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Boston

See my bio

D:+1 617 880 1800
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kathryn "Katy" de Visscher Managing Associate

Boston

Katy assists clients in their data breach investigations and cybersecurity incident response, including advising clients on data breach notification responsibilities and providing strategic advice on how to manage cybersecurity risks. She advises on enhancing existing privacy and information security policies and procedures, such as online privacy notices.

Her work includes counseling on compliance with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) for day-to-day business operations and the development of new products.

Katy graduated from Boston College Law School. During that time, she externed in the Data Privacy & Security Unit at the Massachusetts Attorney General’s Office where she supported consumer protection enforcement actions. She also interned with The Future of Privacy Forum and in-house with a leading cloud-based software company.