Is the Treasury Department’s Advisory Regarding Sanctions for Ransomware Payments Pouring Salt in the Wound?
By Paul Zimmerman
October 27, 2020
On October 1, 2020, the Office of Foreign Assets Control (OFAC), part of the U.S. Treasury Department, issued an advisory regarding potential OFAC sanctions on American companies for paying ransomware attackers. The scary part is that the standard for sanctions is strict liability and applies not only to the party paying ransomware, but also to parties that facilitate the payments, such as cyber-liability insurers, cryptocurrency brokers, etc. But the real question is whether this advisory even signals any real change in policy.
First, a Word About Ransomware
Ransomware is usually introduced to an organization’s system when an employee unwittingly opens an attachment or clicks on a link in an email. The email is disguised as something relevant to the employee’s job functions or some other ruse. Sometimes, the attacker has already gained access to an email account in the organization and has been conducting surveillance. Surveillance allows the attacker to tailor the attack in order to make it more likely that the target clicks on the link or attachment, and can allow the attacker to obtain information from the organization’s system before launching the attack. Either way, one click and some or all of the organization’s system is locked by a payload that launches from the link or attachment. Once the system is locked, the attacker awaits contact from the organization to bargain for the encryption key that allows the organization to regain access to its system or data.
Employees make mistakes, even understandable mistakes, so ransomware is not solely an “IT problem.” Layered security and effective controls cannot prevent all attacks. Hopefully, your organization’s security plan includes suitable—and validated—backup system. In many instances, restoring from a backup to a point before the attack was launched can overcome the attack. Also, the encryption key to some known ransomware has been cracked. Clearly, among the best defenses to ransomware is employee education and awareness. Despite all that, ransomware is among the biggest cyber threats to businesses of all sizes, and layers of defenses that include an adequate email hygiene program and suitable policies and procedures will not prevent or lead to recovery from all ransomware attacks. At some point, a decision whether to pay the ransom may be necessary. This is rarely an easy decision. Sometimes the indicators for paying the ransom are stronger than other times, such as a tax preparer during tax season, a hospital, or any other organization facing inordinate time pressures. Often times, payment is viewed as a purely economic decision—is the cost of the ransom less than the cost of continuing to have the system down?
Hazards of Paying the Ransom
There are arguments for and against paying a ransom. Paying a ransom increases the chance of resuming normal operations, which is clearly a good thing. The arguments against it include the idea that it incentivizes attacks and the payments are often used to fuel other types of attacks, particularly if the attacker is a nation state—ransomware can be a funding mechanism. Those arguments are valid, and the debate about whether to pay ransomware is needed. In the meantime, the reality is that ransomware payouts are increasing. Ransomware Payments Up 33%
Aside from the debate over whether the impact on the nation’s economy and security is harmed by ransomware payments, such payments may violate statutes and regulations that target sanctioned nations, organizations, and individuals. The Treasury advisory references sanctions as to North Korea and Iran for their roles in various cyber attacks on American businesses and interests. The advisory explains: “OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” That certainly makes sense. The advisory suggests that companies “implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” That also makes sense. The advisory’s recommendations are followed by a bit of a caution: “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).”
These warnings arise from the fact that OFAC’s sanction mechanisms, such as the International Emergency Economic Powers Act (50 U.S.C. §§ 4301-41)(IEEPA) and the Trading with the Enemy Act (50 U.S.C. §§ 1701-06)(TWEA), are written such that ransom payments to attackers that are sanctioned nations, entities, or individuals run afoul of these laws. As such, making or assisting in such payments could be sanctionable actions. “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Yes, paying ransom could result in government sanctions, even if the victim of the attack does not know or have reason to know that the attacker is sanctioned by OFAC.
In short, paying or facilitating ransomware could violate the law if the attacker is sanctioned, even if those involved in the payment are unaware of the sanction status. This is not a new development, but the advisory is intended to serve as a reminder or, for those unfamiliar with laws such as the IEEPA and the TWEA, a caution. The advisory notes a few ways in which companies can mitigate sanctions: (1) report attacks to the FBI and cooperate in investigations by law enforcement; and (2) address these risks in the company’s compliance programs.
It does not appear that OFAC has ever sanctioned an American company for paying or facilitating payment of a ransom. However, as policy decisions are made to increase pressure on sanctioned states and entities in countries like Iran and North Korea, the risks to those involved in paying ransoms could increase. Additionally, if the organization has paid a ransom and later applies for a license to engage in ordinarily prohibited transaction, OFAC will presume the application is due to be denied, and the applicant must overcome that presumption.
Of course, determining if the attacker is sanctioned could be difficult. The forensics team and others involved in the response can assist with that.
(1) Consider the possibility of sanctions in determining what steps to take and how much to budget for mitigation of ransomware risks;
(2) Evaluate your cyberliability policy for coverage as to government sanctions to determine if OFAC sanctions would be covered. Furthermore, consider the possibility that attacks by sanctioned hackers could implicate any act of terrorism or act of war exclusions in the company’s policies;
(3) Plan ahead for the degree to which possible OFAC sanctions will impact the organization’s determination of whether to pay a ransom; and
(4) Consult appropriate advisors whether to pay a ransomware and whether doing so involves a risk of sanctions from OFAC. Consider the risk of sanctions in decisions about reporting the attack to the FBI and coordinating with law enforcement.
About Christian & Small
Christian & Small LLP represents a diverse clientele throughout Alabama, the Southeast, and the nation with clients ranging from individuals and closely held businesses to Fortune 500 corporations. By matching highly experienced lawyers with specific client needs, Christian & Small develops innovative, effective and efficient solutions for clients. With offices in Birmingham, metro-Jackson, Mississippi, and the Alabama Gulf Coast, Christian & Small focuses on the areas of litigation and business, is a member of the International Society of Primerus Law Firms, and is the only Alabama-based member firm in the Leadership Council on Legal Diversity. Our corporate social responsibility program is focused on education, and diversity is one of Christian & Small’s core values.
No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other lawyers.