Sanctions: US toughens stance on ransomware payments

The US government has urged businesses to "implement a risk-based compliance program" to address the possibility that they may breach international sanctions by paying ransoms to cyber attackers or in helping others to do so.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) confirmed that businesses that facilitate ransomware payments, including financial institutions, cyber insurance providers, and companies involved in digital forensics and incident response, "not only encourage future ransomware payment demands but also may risk violating OFAC regulations".

OFAC has the power to issue financial penalties on businesses that breach US sanctions.

In a recent advisory notice on the issue, OFAC said that "ransomware payments with a sanctions nexus threaten US national security interests". It encouraged businesses to submit a "timely, and complete report" of ransomware attacks to law enforcement agencies, suggesting that those that do so could benefit from a more lenient approach to enforcement "if the situation is later determined to have a sanctions nexus".

Ransomware is a type of cyber attack that sees hackers install malicious software on to computer systems that prevent organisations carrying out everyday operations or accessing data or other assets. Organisations are prompted to make a payment to the hackers to bring about an end to the attack. Ransomware attacks have been growing in prominence in recent years, with foreign exchange business Travelex among those reported to have fallen victim to such an attack.

David McIlwaine and Andrew Sackey, cyber risk and financial crime law specialists at Pinsent Masons, the law firm behind Out-Law, said they had witnessed a marked uptick in the amount of cyber ransom demands. They said the OFAC advisory notice reinforces the need for businesses that fall victim to ransomware attacks to carry out specialist due diligence before deciding whether to pay the ransom requested.

Sackey said: "Although victims of cyber attacks might consider that the threat actors who have unlawfully interfered with their systems or data are entirely anonymous entities; the global law enforcement community has developed a comprehensive, and constantly evolving, profile of cyber threat methodologies. These consolidated lists provide those charged with regulating or advising on cyber threats with key markers which may point towards the individuals or entities behind an attack."

"Any cyber victim, or insurer, who makes a payment to an entity who they have reasonable cause to suspect may be linked to a terrorist or sanctioned, or otherwise designated, party will be liable for criminal sanction. Timely engagement with specialist advisers will allow dedicated due diligence to be conducted against current data profiles prior to any payment being made; this will help guard against future allegations that a victim failed to do that which was 'reasonable' to ascertain whether there was suspicion that ransom payments may in fact have been made to a prohibited party," he said.

"The developing understanding of global cyber actors increases the requirement for victim companies to guard against allegations that they didn’t do enough to discharge their legal obligations. If payments are made without these checks having been conducted, companies will need a compelling narrative to explain that omission," Sackey said.

McIlwaine said: "Whilst deciding whether to pay a ransom is always a business decision, factoring-in issues including values and ethical considerations; reputational impact – both in terms of customers and staff; cost and likely effectiveness, it is critical to ensure that the necessary compliance steps are followed so that all parties involved protect themselves from criminal sanction."