Norton Rose Fulbright - Data Protection Report blog

The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem.  OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the SDN List; and (3) amending its earlier October 1, 2020 guidance to companies on the potential sanctions risks for facilitating ransomware payments.  OFAC’s summary of the additional sanctions designations is available here and its updated guidance is available here.

While OFAC has previously designated certain ransomware related individuals, entities, and digital currency addresses to the SDN List (e.g., the Lazarus Group), today’s sanctions mark the first time that OFAC has designated an entire cryptocurrency exchange.  According to OFAC’s related press release (available here), SUEX, which was designated under EO 13694 for providing material support to criminal ransomware actors, was determined to have “facilitated transactions involving illicit proceeds from at least eight ransomware variants . . . [and an] analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors.”  In the press release, OFAC clarified, however, that the designation of SUEX does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant despite the fact that SUEX has been reported to have association with ransomware operators Ryuk, Conti, and Maze.

OFAC’s revised guidance regarding the risks of ransomware payments does not substantially modify OFAC’s earlier October 1, 2020 guidance on the same topic (available here) in which OFAC highlighted: (i) the U.S. government’s opposition to parties making ransomware payments; (ii) the sanctions risks faced by parties that, knowingly or unknowingly, make or facilitate ransom payments to malicious threat actors; and (iii) the significant mitigation credit such parties would receive for promptly notifying, and cooperating with, US law enforcement and relevant government agencies regarding the attack and for implementing an appropriate compliance program.

Today’s amended guidance expands upon those earlier points by reiterating that the U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands but emphasizing the importance of improving cybersecurity practices and reporting to, and cooperating with, appropriate U.S. government agencies in the event of a ransomware attack.  In particular, the amended guidance states for the first time that: (i) companies that take “meaningful steps” to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide, will receive significant mitigation credit in any OFAC enforcement action; (ii) OFAC will treat a company’s report of an attack with a potential nexus to sanctioned actors to law enforcement and/or federal government agencies as a voluntary disclosure with associated mitigation credit; and (iii) that where a company promptly reports the incident, cooperates with law enforcement, and implements a compliance program, OFAC will likely resolve any subsequent enforcement action without a penalty. OFAC highlights this last point by noting that “OFAC will also consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack — e.g., providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible — to be a significant mitigating factor” in determining an appropriate enforcement response.

Practical Implications

Overall, today’s actions by OFAC were in line with previous guidance and provides more information on mitigating factors that will be considered by OFAC when companies are in these challenging situations.  Notably, OFAC did not designate any additional threat actors to the SDN List or take a more aggressive approach towards companies that are faced with the dilemma of making ransomware payments to unknown third parties.

OFAC’s designation, for the first time, of an entire crypto-exchange to the SDN List recognizes that designations of particular threat actors or digital currency addresses are of limited utility in deterring future attacks as threat actors can easily mask their identity or utilize different addresses.  While threat actors can also utilize different currency exchanges, the hope appears to be that SUEX’ designation will serve as a warning shot to other exchanges. Analysis of known SUEX transactions showed that over 40% of SUEX’s known transaction history was associated with illicit actors.and OFAC emphasized it will continue to impose sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for ransomware activities.

The revised guidance should be reviewed carefully by all companies, regardless of whether they have already experienced a cyber-attack, as OFAC is providing fairly explicit guidance that companies that have implemented the described cyber-security and compliance measures will receive significant mitigation credit in the event they are ultimately forced to make a ransomware payment.

OFAC has also made clear that if an attack occurs, companies should strongly consider notifying, and cooperating with law enforcement and the relevant US government agencies identified in OFAC’s guidance.  By notifying and cooperating with such agencies, companies can receive valuable intelligence regarding how the government perceives the identified threat actor and also receive significant additional mitigation credit in any enforcement action.

While ransomware attacks lead to a myriad of difficult challenges, OFAC’s revised guidance appears to at least provide some comfort that if the recommended measures are implemented, companies are unlikely to face significant penalties should they inadvertently make a payment to a prohibited party.  Companies should review and revise their incident response plans and ransomware playbooks accordingly.