DEPARTMENT OF THE TREASURY
WASHINGTON, D.C.
Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments [1]
Date: September 21, 2021
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this updated advisory to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.2
Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business.
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating...
1) As is common with most "advisories," this advisory (generally) does not clarify the scope and operation of any OFAC-administered sanctions provisions. Instead, it serves primarily to alert the regulated community to OFAC's policy positions concerning the making and/or facilitation of "ransom" payments to sanctioned persons. The advisory is notable for the statement of licensing policy (case-by-case basis with a presumption of denial) and policy concerning enforcement.
"The Advisory updated on 9-21-2021 (note that the PDF file contains the updated and original versions). The updated version does not make major substantive changes from the previous version, other than to make clear that the "material assistance" derivative designation criterion can (and will) be used against non-U.S. persons that facilitate ransomware payments (even if such actors are not otherwise cybercriminals). The updated Advisory was issued on the same day that OFAC designated "SUEX OTC,...