The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory highlighting the sanctions risk American citizens face if they help facilitate ransomware payments. In the advisory, the OFAC says it will “continue to impose sanctions on those who materially assist, sponsor, or provide financial, material, or technological support for these activities.”
In the document, the OFAC argues that acceding to ransomware demands–which are normally settled using cryptocurrencies–not only emboldens cybercriminals but also threatens the national security and foreign policy objectives of the United States. Instead, the OFAC “encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.”
Detailing the gravity of such offences, the advisory says the OFAC “may impose civil penalties for sanctions violations based on strict liability.” This means that any person that is subject to U.S. jurisdiction “may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws.”
Still, the document provides links to resources that Americans can use to determine if their activities amount to a violation of laws. For instance, OFAC’s Economic Sanctions Enforcement Guidelines provide more information regarding the office’s enforcement of U.S. economic sanctions. The guidelines also “include the factors that OFAC generally considers when determining an appropriate response to an apparent violation.”
Meanwhile, the OFAC says it wants “financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” According to the US sanctions enforcement office, this “applies to companies that engage with victims of ransomware attacks.”
Such companies include those involved in providing cyber insurance, digital forensics and incident response and financial services that may involve processing ransom payments, including depository institutions and money services businesses. Furthermore, companies involved in facilitating ransomware payments on behalf of victims “should also consider whether they have regulatory obligations under the Financial Crimes Enforcement Network (FinCEN) regulations.”
According to the OFAC, ransomware attacks have become more focused, sophisticated, costly, and numerous. Between 2018 and 2019 “there was a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019”, according to Internet Crime Reports produced by the FBI.
The OFAC is empowered under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) to sanction US citizens who conduct business dealings with Specially Designated Nationals and Blocked Persons List (SDN).
However, the OFAC says it will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
The US government has already designated and sanctioned entities like Evgeniy Mikhailovich Bogachev, developer of Cryptolocker and the Lazarus Group, a cybercriminal organization sponsored by North Korea.
What do you think of OFAC’s latest advisory? Share your views in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons