October.12.2021
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced several actions focused on disrupting criminal digital finance infrastructure, including virtual currency exchanges, responsible for laundering cyberattack ransoms, and encouraging incident and ransomware payment reporting to U.S. authorities.[1] OFAC issued an updated advisory on potential sanctions risks associated with facilitating ransomware payments (the “Advisory”). OFAC also added Russia-based cryptocurrency exchange Suex.io to its Specially Designated Nationals and Blocked Persons List (the “SDN List”). This is the first cryptocurrency exchange to be added to the SDN List. Treasury’s actions aim to advance the U.S. government’s broader counter-ransomware strategy. Below we discuss several practical sanctions risk mitigation strategies for companies in light of OFAC’s recent actions.
Sanctions Risks
The Advisory highlights the sanctions risks associated with making and facilitating ransomware payments in the cyber context. The Advisory updates and supersedes OFAC’s prior advisory on the same topic issued on October 1, 2020. Persons determined to facilitate ransomware payments may violate OFAC regulations if the payments involve, directly or indirectly, targets of U.S. sanctions. U.S. persons are generally forbidden to engage, directly or indirectly, in transactions involving sanctions targets, including SDNs and other blocked persons, and their 50%-or-more owned affiliates, as well as persons located, organized or residing in comprehensively sanctioned jurisdictions. Non-U.S. persons are prohibited from causing a U.S. person to violate any sanctions authorized by the International Emergency Economic Powers Act, as amended. U.S. persons, wherever located, are also generally prohibited from facilitating non-U.S. persons’ actions that could not be directly performed by U.S. persons due to U.S. sanctions regulations.
The Advisory emphasizes that OFAC continues to strongly discourage payment of ransom in connection with cyberattacks and that it will continue to impose sanctions on persons who materially assist, sponsor, or provide financial, material, or technological support for ransomware activities. The U.S. Department of Justice may also bring criminal charges in connection with ransomware schemes.[2] As noted in the Advisory and the 2020 advisory, OFAC will review license applications involving ransomware payments resulting from cyberattacks on a case-by-case basis with a presumption of denial.
Mitigating Factors
Most notably, the Advisory includes steps companies can take to mitigate the sanctions enforcement risks associated with ransomware payments. It specifies that OFAC will consider the following actions by a company to be mitigating factors in any OFAC enforcement action:
In addition, the Advisory emphasizes the importance of a risk-based sanctions compliance program. In particular, companies that engage with victims of ransomware – including those that provide cyber insurance, digital forensics and incident responses, and financial services that may involve processing ransom payments – should account in their policies for the risk that a ransomware payment may involve a sanctions target.
For the first time, OFAC designated a virtual currency exchange, Suex OTC, S.R.O. (a.k.a. “Successful Exchange,” “Suex”) for facilitating financial transactions for ransomware actors (involving illicit proceeds from at least eight ransomware variants).[3] Suex was designated pursuant to Executive Order 13,694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” As a result of the designation, all of Suex’s property and interests in property subject to U.S. jurisdiction are blocked. According to the U.S. government’s analysis, more than 40 percent of the known transactions on Suex were associated with illicit actors. OFAC also added a number of Bitcoin, Ether, and Tether digital wallets addresses associated with Suex to the SDN List.
[1] Ransomware is a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or information technology systems to extort payments from victims in exchange for a decryption key to restore victims’ access to their systems or data. Where the victim’s data is also exfiltrated, the illicit actors generally promise to delete the exfiltrated data in exchange for payment of the ransom.
[2] For example, in 2019, when OFAC designated Maksim Yakubets and Igor Turashev for development and distribution of malware, the United States (through the Departments of Justice and State) and the UK also charged them in connection with a decade-long cybercrime scheme. In 2021, the U.S. Department of Justice charged three North Korean programmers with participating in a criminal conspiracy involving cyberattacks, extortion of money and cryptocurrency, malware applications, and a fraudulent blockchain platform. OFAC previously designated one of the individuals under its North Korea-related sanction program in 2018.
[3] OFAC has previously blocked numerous cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. For example, in 2016, OFAC designated Evgeniy Mikhailovich Bogachev, developer of a ransomware variant known as Cryptolocker, and in 2018, OFAC designated two Iran-based financial facilitators of malicious cyber activity relating to SamSam ransomware.