On October 1, 2020, the US Department of the Treasury’s Office of Terrorism and Financial Intelligence issued a press release announcing two advisories regarding ransomware cyberattacks. Ransomware is a form of malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. In some cases, in addition to the attack, cyberattackers threaten to publicly disclose victims’ sensitive files. The cyber actors then demand a ransomware payment, usually through digital currency, in exchange for a key to decrypt the files and restore victims’ access to systems or data.
According to the Treasury, demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to conduct business remotely. Most notably, the advisories warn companies that facilitate ransomware payments (think banks, insurers, and IT companies) to cyberattackers of potential enforcement liability under a host of regulations
In its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, the Treasury’s Office of Foreign Assets Control (“OFAC”) warns that facilitating ransomware payments on behalf of victims could result in liability under OFAC sanctions. The Advisory suggests that facilitation of such payments may encourage future ransomware demands and risk violating OFAC regulations by facilitating payments to cyberattackers. Rather than making payments, OFAC recommends implementing risk-based compliance programs to mitigate their potential exposure to sanctions-related violations and reporting to law enforcement.
Similarly, the Treasury’s Financial Crimes Enforcement Network’s (“FinCEN”) Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments emphasizes the importance of financial institutions detecting and reporting ransomware payments to deter further attacks and hold cyberattackers accountable for their crimes.
Patrick Ellis is a Traverse City, Michigan-based attorney counseling businesses across numerous industries and stages of maturity regarding corporate formations and governance, investment financing, commercial and strategic transactions, real estate, and day-to-day, operational and legal matters. If you have any questions about the issues addressed in this post, or if you would like a copy of any of the materials mentioned in it, please contact: