On September 21, 2021, the US Department of Treasury’s Office of Foreign Assets Control announced that it updated its ransomware advisory to inform companies of the risk of violating US sanctions when making ransomware payments in response to cyber-attacks. OFAC also shared proactive measures that companies can take in order to avoid ransomware attacks and discussed mitigating factors that it would consider in cyber-related enforcement actions. In addition, for the first time in history, OFAC designated a virtual currency exchange for providing material support to ransomware actors.
In its updated advisory, OFAC discourages companies from paying ransomware demands because it allows cyber-criminals to profit from their illicit operations, encourages future attacks, and funds activities that are adverse to national security objectives and foreign policy objectives of the US. In addition, OFAC warns that ransomware payments may violate US sanctions regulations if the cyber-criminal is a designated individual or entity or is located in an area covered by a comprehensively embargoed jurisdiction such as Cuba, Iran, or the Crimea region of Ukraine, and encourages companies to improve their sanctions compliance programs and cybersecurity practices because the adequacy of these programs are considered mitigating factors if an enforcement action is initiated. If a ransomware attack occurs, OFAC also strongly encourages victims to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA) or their local FBI office, and provides a list of other agencies that companies should contact for assistance. Importantly, OFAC notes that it will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, made as soon as possible after discovery of an attack, to be a voluntary self-disclosure. OFAC also notes that such reports will be considered as an additional mitigating factor, and would cause OFAC to “be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter)[.]”
OFAC reports that virtual currency exchanges are the principal means by which cyber-criminals facilitate ransomware payments and launder ransomware proceeds. Therefore, in an effort to curtail these types of transactions, OFAC designated, for the first time, a virtual currency exchange for facilitating unlawful transactions for ransomware actors. SUEX OTC, SRO (SUEX) was designated by OFAC on September 21, 2021, pursuant to Executive Order 13694, as amended, for handling transactions involving proceeds linked to at least eight ransomware variants. According to OFAC, an analysis of SUEX’s transaction history showed that more than 40 percent of its transactions were performed for ransomware actors.
As a result of this designation, all US property of SUEX is blocked, and all transactions with SUEX are generally prohibited. In addition, any entity that is owned fifty percent or more by SUEX is also blocked, and any financial institution that engages in certain transactions with SUEX may be at risk for secondary sanctions.