The U.S. Department of Treasury recently released their Updated Advisory on Potential Sanctions Risks for Facilitation Ransomware Payments.
The Office of Foreign Assets (OFAC) has been closely involved with the efforts to combat the increase in ransomware attacks across the United States. OFAC acknowledges that most of the perpetrators of cyber and ransomware attacks are not U.S. citizens and furthermore may be sanctioned themselves if not affiliated with a sanctions nexus. In this case, a sanctions nexus is established when the perpetrator of the attack is affiliated with a sanctioned group or country even though they may not be specifically listed for sanctions.
The notice listed examples of prolific cyber crime groups to give examples of how pervasive these cyber attacks have been.
In 2015, Evil Corp, a Russia-based organization harvested login credentials from hundreds of banks and financial institutions in over forty countries while also causing more than $100 million in theft.
Starting in late 2015 and continuing for nearly three years, SamSam ransomware was used to target U.S. government institutions and it was later discovered that two Iranians provided material support for the development and implementation of SamSam.
In 2017, the Lazarus Group, an organization sponsored by North Korea, infected over 300,000 computers in at least 150 countries with malware.
In September 2021, SUEX OTC, S.R.O., a virtual currency exchange, was designated for its facilitation of financial transactions for ransomware attackers. OFAC identified payments from the use of at least eight ransomware variants on the platform. Generally, it was found that more than 40% of SUEX's known transaction history was associated with illicit activities or actors.
As detailed above, a sanctions nexus can be established based on a the attacker's affiliation or even the platform that they used for payment if they aren't individually sanctioned.
Remember that OFAC imposes civil penalties for sanctions violations on a basis of strict liability. As with other types of transactions that may result in sanction violations, OFAC first considers whether the violating party had instituted an internal compliance program at the time of the violation. The unique factors that OFAC considers when evaluating penalties for ransomware payments is the defensive/resilience measures taken by the victim to preemptively protect from and prevent any cyber attacks. Also, returning back to the typical evaluation system, OFAC considers whether the violator self reported their potential violation and the timing of the report in relation to the initial attack.
Lastly, OFAC strongly states that they discourage any ransomware payments stating the following:
"Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will continue to be reviewed by OFAC on a case-by-case basis with a presumption of denial."
Be sure and check out our OFAC videos as well on our website and on our YouTube page.