On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory alerting companies of potential sanctions risks related to facilitating ransomware payments.  The five-page advisory states that ransomware victims who pay ransom amounts, and third-party companies that negotiate or pay ransom on their behalf, “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

In the advisory, OFAC wrote that “[r]ansomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States” and took the position that ransomware payments may encourage future attacks. Given the risk that a ransomware payment might include a person or jurisdiction on the OFAC sanctions list, the advisory states that there is a risk that a ransomware payment could violate applicable OFAC sanctions. The advisory also encourages ransomware victims and third parties involved in addressing ransomware attacks to contact OFAC if they believe a request for a ransomware payment would implicate sanctions considerations. Contact information for relevant U.S. government agencies is included at the end of the advisory. OFAC added that it will consider a ransomware victim’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

OFAC notes that ransomware attacks have become increasingly more “focused, sophisticated, costly, and numerous” in recent years, and that ransomware attacks may attack organizations of any size in both the public and private sectors. OFAC has designated “numerous malicious cyber actors” under its sanctions and cyber-related programs, including the developers of well-known ransomware strains such as Cryptolocker, SamSam and WannaCry. The advisory notes that OFAC has imposed (and will continue to impose) sanctions on these actors and others who materially assist, sponsor or provide financial, material or technological support for the ransomware activities.