Interesting advisory from the Treasury Dept. regarding ransomware

If you are a potential ransomware victim, an insurance company who provides ransomware protection, an IT Services provider or financial institution who may provide services to a ransomware victim, the latest advisory from the U. S. Treasury Department suggesting that you may be subject to civil penalties if you pay, recommend paying or facilitate the payment of a ransom may be worth a read.

The U.S. Department of the Treasure’s Office of Foreign Assets Control (OFAC) released an advisory on 1 October 2020 that suggests that it can and may pursue civil penalties against victims of ransomware who pay the ransom as well as third parties who recommend or facilitate ransomware payments. I’ve linked the advisory below and have copy / pasted some of the pertinent sections of the advisory with some comments below.

According to the advisory, OFAC has imposed and will continue to impose sanctions on not only the threat actors but also the ransomware victims and those who materially support the ransomware victims pay the ransom (from page 2 of the advisory).

OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.
— from page 2 of the advisory

According to the advisory, OFAC may pursue civil penalties even if the person they are pursuing civil penalties against is unaware that the ransomware payment is ultimately benefiting (directly or indirectly) blocked persons or those covered by comprehensive country or region embargoes.

OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
— from page 3 of the advisory

According to the advisory, OFAC is interested in pursuing civil penalties against not only the ransomware victim but anyone who suggests or facilitates the payment of a ransom including (but likely not limited to) insurance providers, digital forensics teams, incident response teams, banks and other financial institutions, etc.

As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.
— from page 3 & 4 of the advisory

According to the advisory, if ransomware victims report the attack to law enforcement promptly (but still pay), that will be looked upon favorably [by OFAC] in determining whether to pursue civil penalties and, if so, to what degree.

Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.
— from page 4 of the advisory

While I believe I understand the intent of the advisory (the United States does not negotiate with or otherwise support terrorists), my concern is that this is criminalizing ransomware victim and those who work to make them whole after the attack (insurance companies who pay [after the victim has paid their premiums], digital forensics and incident response teams who try [without success] to recover the encrypted data and recommend paying as a last resort to restore the data / functionality / etc. or banks and / or financial institutions who facilitate payment).

Additional Information

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (PDF)