On September 21, 2021, the U.S. Department of the Treasury took several actions targeting the recent escalation of ransomware attacks and related payments, including a renewed focus on the cryptocurrency industry. Notably, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued an updated advisory addressing the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities. OFAC also sanctioned an offshore cryptocurrency exchange for its involvement in facilitating ransomware payments.
OFAC’s designation of the Suex OTC exchange represents the first time ever that OFAC has sanctioned a cryptocurrency exchange. Suex OTC was sanctioned under Executive Order 13694 for facilitating financial transactions for ransomware actors, and thereby providing material support to those actors. According to OFAC’s press release, an analysis of known Suex transactions reflected that over 40 percent of Suex’s known transaction history was associated with illicit actors. Additionally, press reports indicate that Suex was operating as a “nested” exchange, in which it used the infrastructure and liquidity of a larger cryptocurrency exchange in order to facilitate and conduct transactions. The designation means that all property and interests in property of Suex that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities owned 50% or more by Suex (or other sanctioned actors) are also the subject of sanctions and their property and interests in property are blocked. In addition, there is considerable sanctions risk for financial institutions and other entities that engage in transactions or activities with Suex (or entities owned 50% or more by Suex), which risk exposure to sanctions or an enforcement action.
In OFAC’s updated Ransomware Advisory, which was initially published October 2020, OFAC takes a stronger policy stance against ransomware payments, noting that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” This is a fairly stark contrast to the October 2020 Advisory, which focused more on the sanctions risks inherent in making ransomware payments, without expressing much of a policy position. Both Advisories make clear that ransomware payments can carry significant sanctions risk, to the extent the payments involve sanctioned actors, entities, or jurisdictions that are the subject of sanctions. Moreover, many OFAC sanctions are strict liability, meaning that intent or knowledge is not required to demonstrate a civil violation (criminal violations require a showing of willfulness).
Importantly, the new Advisory also clarifies the circumstances in which victims of ransomware attacks may receive cooperation credit for voluntarily self-disclosing an apparent sanctions violation to OFAC. Under OFAC’s Enforcement Guidelines, those who voluntarily self-report an apparent sanctions violation to OFAC can be eligible for considerable benefits, including a 50% reduction in the monetary penalty, among other forms of relief. The challenge is that OFAC operates on a “first in” basis – meaning that if you do not report the violation to OFAC first (e.g., OFAC finds out about it another way or you report it to another regulator), then you may not receive the cooperation credit. OFAC’s new Advisory makes clear, for the first time, that a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies (e.g., not simply OFAC), made as soon as possible after discovery of an attack, will be deemed a voluntary self-disclosure and a significant mitigating factor in determining an enforcement response.
OFAC also advises that it “would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or Cautionary Letter) when the affected party took the mitigating steps described above, particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.”
Ransomware-related payments continue to carry tremendous sanctions risks, and responding to a cyberattack, from an operational and legal perspective, remains a challenge. This new OFAC Advisory provides clearer guidance on how to mitigate sanctions risk; however, there are still significant challenges to fully mitigating that risk, which is often nearly impossible in the current environment. At a minimum, risk mitigation will require screening counterparties, including via blockchain analytic technology, as well as analyzing IP address information and certain characteristics of the attack (e.g., the virus strain, the language the attackers use in the chat function, and even what time of day the attackers are active). It remains to be seen whether and to what extent OFAC and other U.S. regulators initiate enforcement actions against those making ransomware payments. The use of blocking sanctions against cyber attackers is probably a more immediate focus for the time being.