OFAC updates the notice on application risks associated with accepting to pay for ransomware
First article in a two-part series on recent OFAC designations
September 21, 2021 OFAC issued its first sanctions designation against a virtual bureau de change by designating the virtual bureau de change, SUEX OTC, SRO (SUEX) “for its part in facilitating financial transactions for ransomware variants”. Although this is a one-time development, the largest and most important issue for any financial institution or business facing a ransomware attack is the persistent problem encapsulated in OFAC’s six pages. Updated Notice on Potential Sanction Risks to Facilitate Ransomware Payments, which OFAC published in conjunction with the announcement of the SUEX designation. The updated advisory illustrates a ‘Catch 22’ scenario, in which a victim who stops a ransomware attack by making the requested payment may then find themselves under OFAC control on a strict liability basis if they are ‘turns out that the attackers were sanctioned or otherwise had a sanction link. The updated advisory indicates that OFAC will consider self-reporting, cooperation with the government, and strong cybersecurity measures as mitigating factors in any enforcement action being considered.
OFAC has been busy. Tomorrow, we will be posting a blog on a more traditional action announced by OFAC just before the SUEX designation: the designation by OFAC of members of a network of financial conduits funding Hezbollah and the Islamic Revolutionary Guard Corps. Quds Force of Iran. This designation is notable for the alleged use of gold by targets as a vehicle to launder illicit funds through shell companies.
The SUEX blacklist
According to OFAC, more than 40% of the history of known transactions of SUEX is associated with illicit actors. Accordingly, SUEX is prohibited from carrying out transactions with American persons or from carrying out transactions in the United States, and financial institutions and other persons who engage in certain transactions or activities with the entities and individuals sanctioned. may face sanctions or be subject to enforcement action. . OFAC issued the designation in accordance with Executive Decree (EO) 13694, titled “Blocking the Property of Certain Persons Engaging in IMPORTANT Malicious Cyber-Enabled Activities”, and which was originally signed by President Barrack Obama in 2015. We have already posted a blog on OFAC’s capacity in other contexts to block assets and prohibit financial transactions. with designated persons and entities here here, and here.
SUEX operates in Russian and is registered in the Czech Republic. Designation specifically blacklisted 25 blockchain addresses used by or associated with SUEX. Arguably, the designation reflects a tactic by the US government to resort to sanctions, a tool the government can use relatively easily and quickly, to punish illicit foreign actors who can be very difficult to prosecute in US courts, from less without considerable effort, time and resources.
According to the press release issued by the US Treasury Department, OFAC’s designation of SUEX occurs against a backdrop of increasing scale, sophistication and frequency of ransomware attacks. Ransomware (which we previously blogged about here here and here) is a form of malware designed to block access to a computer system or data, often by encrypting data or programs on computer systems to extort ransoms from victims in exchange for information decryption and restoration victims’ access to their systems or data. The Treasury Department noted that “[t]The U.S. government believes these payments are only a fraction of the economic damage caused by cyber attacks, but they underscore the goals of those seeking to militarize technology for personal gain.[.] . . . [T]he disruption of critical industries, including financial services, healthcare and energy, as well as the exposure of confidential information, can cause serious damage. According to the FBI, ransomware payments reached over $ 400 million in 2020, more than four times the amount of ransomware payments made in 2019. Ransomware programs unfortunately seem to have proliferated even more in 2021, including the notorious cyberattack on Colonial Pipeline, which resulted in significant gasoline supply shortages in the United States
The press release further observed that virtual currencies, although frequently used for lawful activities, can also be used to avoid sanctions, ransomware programs and other cybercrimes through the use of peer-to-peer exchangers. to-peer, mixers, and Exchanges. In some cases, malicious actors exploit virtual currency exchanges, but other times, the virtual currency exchange allegedly facilitates illicit activities for its own illicit gain – which OFAC has alleged about SUEX.
The Treasury Department pointed out that many agencies around the world, including the US Financial Crimes Enforcement Network, the Group of Seven and the Financial Action Task Force, are trying to tackle ransomware and ransomware-related money laundering. , and their link with illicit financial risks. posed by virtual assets. The Treasury Department encouraged readers to visit StopRansomware.gov, touted as a “one-stop resource for individuals and organizations of all sizes to reduce their risk of ransomware attacks and improve their cybersecurity resilience.” OFAC’s frequently asked questions on virtual currency are available here.
OFAC opinion on ransomware
The SUEX designation was accompanied by OFAC Updated Notice on Potential Sanction Risks to Facilitate Ransomware Payments (“Updated Notice”), which “describes the potential sanction risks associated with the execution and facilitation of ransomware payments and provides contact information for relevant US government agencies, including OFAC if it There is reason to suspect that the cyber actor demanding payment for ransomware may be sanctioned or otherwise have a sanction link. Of course, many ransomware programs do indeed have a sanction link, which places the victim in a potentially untenable situation, especially because a de facto The link between the sanctions may not be entirely clear to the victim. Regardless of the fact that trying to obtain an OFAC license to make an otherwise prohibited payment would take much longer than is possible to cope with the demands imposed by a ransomware attack, OFAC states in the notice. updated that “licensing applications involving ransomware payments demanded as a result of malicious cyber activity will continue to be reviewed by OFAC on a case-by-case basis with a presumption of refusal. “(emphasis added).
After describing a list of suspected malicious cyber actors designated by OFAC to have perpetrated or facilitated ransomware attacks, including the aptly named Evil Society, the Updated Advisory notes that the US government “strongly discourages” the payment of a cyber ransom, which:
. . . . can allow criminals and adversaries with a sanction link to profit from and advance their illicit objectives. For example, ransomware payments made to sanctioned individuals or to sanctioned jurisdictions globally could be used to fund activities contrary to US national security and foreign policy objectives. Such payments not only encourage and enrich malicious actors, but also perpetuate and incite further attacks. In addition, there is no guarantee that companies will regain access to their data or be themselves safe from further attacks.
The updated notice then goes on to be a disturbing reminder that OFAC may impose civil penalties for violations of strict liability sanctions – that is to say., a company can be held responsible even if it did not know or had no reason to know that it was engaged in a transaction prohibited by OFAC. “Enforcement responses range from non-public responses, including issuing a no-action letter or letter of caution, to public responses, such as civil monetary penalties.”
OFAC offers two basic avenues to minimize the potential penalties posed by this dilemma.
First, financial institutions and other businesses should implement a risk-based compliance program to mitigate exposure to sanctions violations. The program should consider the risk that a ransomware payment could involve a Specially Designated National (“SDN”) or stranded person, or a fully embargoed jurisdiction (such as North Korea). Effective cybersecurity measures can also mitigate any enforcement response from OFAC; these measures may include “maintaining offline data backups, developing incident response plans, implementing cybersecurity training, regularly updating anti-virus and anti-malware software. and the use of authentication protocols.[.]The updated opinion specifically notes that financial institutions covered by the Banking Secrecy Act will also have related anti-money laundering obligations.
Second, “OFAC strongly encourages victims and related businesses to report these incidents and to cooperate fully with law enforcement as soon as possible to avail themselves of OFAC’s significant mitigation measures regarding issues of OFAC enforcement and receive a voluntary self-disclosure credit in the event a sanction link is later determined. The updated advisory states that OFAC will be more likely to resolve apparent violations involving ransomware attacks with a non-public response (that is to say., a letter of no action or a letter of caution) if the victim reports the ransomware attack to OFAC, law enforcement and other relevant bodies as soon as possible and provides cooperation during and after a ransomware attack. This “encouragement” suggests that, in practice, any ransomware attack should be reported to OFAC and other agencies, as it may ultimately turn out that the attack was related to sanctions.
Even though strong cybersecurity measures, self-reporting, and cooperation with the government lead to a non-public response from OFAC, a lingering problem remains: what enforcement risks are faced by a company that finds itself the victim of a breach? second attack involving a sanction link?