OFAC issues new briefing note on potential risk of sanctions to facilitate ransomware payments

On September 21, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) released an updated memo on the potential risk of sanctions associated with facilitating ransomware payments and to note once plus the “proactive steps” that companies can take to mitigate these risks. See “The OFAC Note”, available here. The note follows increased regulatory activity and public statements regarding ransomware by the Biden administration, and further, in the wake of OFAC’s designation and sanction of SUEX OTC, SRO for its part in facilitating financial transactions for ransomware players involving the illicit products of at least eight ransomware variants.

The revised memo highlights OFAC’s concern over many types of businesses that play a role in ransomware cases and subsequent payments. The memo notes:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including Financial institutions, cyber insurance companies, and businesses involved in digital forensics and incident response, not only encourage future ransomware payment claims, but may also risk violating OFAC regulations. The US government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on building defensive and resilient measures to prevent and protect against ransomware attacks. (emphasis added).

The OFAC memo goes on to note that the growth and facilitation of ransomware payments threatens the country’s national security and foreign policy:

Facilitating payment for ransomware demanded as a result of malicious cyber activity can allow criminals and adversaries with a sanction link to profit and further their illicit objectives. For example, ransomware payments made to sanctioned individuals or to sanctioned jurisdictions globally could be used to fund activities contrary to US national security and foreign policy objectives. Such payments not only encourage and enrich malicious actors, but also perpetuate and incite further attacks. In addition, there is no guarantee that companies will regain access to their data or be themselves safe from further attacks. For these reasons, the US government strongly discourages the payment of cyber ransom or extortion demands.
[emphasis supplied].

Although paying a ransom note is strongly discouraged by the US government, we note that paying a ransom is not inherently illegal. However, if the payment is made to a sanctioned party, OFAC may impose civil sanctions for sanctions violations based on a strict liability standard. In determining the appropriate sanction, the OFAC memo notes that “under OFAC enforcement guidelines, the existence, nature and adequacy of a sanctions compliance program is a factor that OFAC may take into account when determining an appropriate response to an apparent violation of US sanctions laws. or regulations. ”The OFAC note notes here:

In general, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions violations. This also applies to businesses that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve handling claims. ransom payments (including deposit-taking institutions and money-service businesses). In particular, such companies’ sanctions compliance programs should consider the risk that a ransomware payment could involve an SDN or a stranded person, or a fully embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have any regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.

OFAC also stresses the need to cooperate with the government when dealing with the potential effects of a ransomware attack and will view this cooperation as a potentially mitigating factor for a breach of OFAC:

OFAC strongly encourages all victims and anyone involved in combating ransomware attacks to report the incident to the CISA, their local FBI office, the FBI Internet Complaints Center, or their local law enforcement office. US secret service as soon as possible. Victims should also report ransomware attacks and payments to OCCIP Treasury and contact OFAC if there is reason to suspect a potential sanction link with a ransomware payment. As noted, in doing so, victims may benefit from significant mitigation from OFAC when determining an appropriate law enforcement response in the event that a sanction link is found in relation. with a ransomware payment.

Finally, OFAC refers to the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide (CISA memo) which describes the measures that can be taken to reduce the risk of extortion by a sanctioned actor by adopting or improving the cybersecurity practices.

These steps could include maintaining offline data backups, developing incident response plans, implementing cybersecurity training, regularly updating anti-virus and anti-malware software, and use of authentication protocols, among others.


As we are often in a position to respond to ransomware attacks against customers, we certainly take to heart the strong statements made in the OFAC Note regarding the facilitation of ransomware payments. Ransomware has plagued US businesses for years, and such attacks are on the increase rather than decline. While the substance of the OFAC memo is not entirely new, its tone is clearly that of “we’re serious.”

Perhaps the most important part of OFAC’s note for public and private companies is its reference to the CISA note’s list of best ransomware prevention practices. We believe the CISA memo is required reading for businesses, and its reference to offline data backups is very important advice. Offline backups can be the life or death of businesses affected by ransomware requests. They should be strongly encouraged for any business. Here is the reference in the CISA note.

It is essential to keep encrypted data backups offline and to test your backups regularly. Backup procedures should be performed regularly. It is important that backups are kept offline, as many variations of ransomware attempt to find and delete all accessible backups. Keeping current backups offline is essential as there is no need to pay a ransom for data easily accessible to your organization.

  • Maintain regularly updated “gold images” of critical systems in case they need to be rebuilt. This involves maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or a server.
  • Retain backup material for rebuilding systems in case rebuilding the primary system is not preferred.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

Previous Will Fresno's small drinking water systems connect to the city? - GV Wire
Next Businesses are encouraged to request a storefront embellishment