Ransomware has hit pandemic proportions and there does not seem to be a clear end in sight. On October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding ransom payments and the risk of sanctions associated with such payments.

Background

Ransomware has been around for decades. For many years, ransomware was more of a nuisance issue only involving a small number of computers than a real business disrupter. In recent years, we’ve seen increased sophistication and threat actors increasing the impact of an incident by finding ways to encrypt many devices at the same time and deleting or encrypting backup files, too. Additionally, many of the ransomware threat actors are exfiltrating data before spreading ransomware. Thus, even if the company can restore from backups they still face the extortion component.

We produce a yearly report that provides statistics and insights based on the data security incidents we worked on over the prior year.[1] This year’s Report analyzes the more than 1,000 incidents we worked on in 2019. 24% of our 2019 incidents were ransomware. In 2018, the average ransom amount was $28,920. In 2019, the average ransom amount increased to $302,539. Ransom demands have continued to grow in 2020, and as our next report will reflect, we are seeing demands in excess of $50 million. Exfiltration is an issue in a growing number of incidents (whereas only 6% of ransomware incidents in 2019 involved notification obligations being triggered).

One of the initial questions that our clients ask us is whether companies actually pay ransom and whether there is any prohibition against making payments. Yes, companies pay ransom. And, we are seeing payments made on a daily basis—that’s how big this issue is. Before a payment is made, the company generally retains a third-party to conduct due diligence to ensure that the payment is appropriate, i.e., that is not being made to a sanctioned organization or a group reasonably suspected of being tied to a sanctioned organization. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated.

Questions have always been raised about who these threat actors are and where they are located. Attribution is extremely difficult and always has been in the cybersecurity space. This issue is not unique to ransomware, but the often opaque identity of these criminals does raise the potential for sanctions program concerns. In this regard, we have recently seen bloggers and others interested in cybersecurity speculating about connections between various ransomware variants and specific groups. Speculation by these bloggers cannot be relied upon and is insufficient to support or cast doubt on the appropriateness of a payment. Companies can and must rely on their own thorough due diligence efforts and risk-based compliance programs. And, the OFAC guidance includes and supports steps that companies are already taking as part of the process.

What Does the Guidance Mean?

The OFAC advisory reinforces points we already know:

  1. The U.S. Government disfavors payments of ransom, but there is no general ban.
  2. Payments to sanctioned individuals and/or entities, however, can result in significant penalties and applications for licenses to make such payments will be handled with a presumption of denial, which may be based on U.S. policy interests alone.
  3. Cooperating with law enforcement is critical. The U.S. Government benefits because it can gather more information about these threat actors to help with prosecution. Although our clients are generally working with law enforcement, we are hearing that many companies are not reporting these incidents to the FBI. OFAC’s guidance is pushing companies to work with the FBI more closely. The benefit to the company is the threat information sharing, which could also include information about the origin of the threat actor. In addition, OFAC has identified early and continuing cooperation with law enforcement as a “significant mitigating” factor in an enforcement context.

OFAC did not include:

  1. New groups or malware variants in the sanctions list.
  2. A discussion of (or even vague reference to) new groups or malware variants.
  3. A requirement to go to OFAC in every ransomware incident.

The OFAC guidance identifies additional U.S. Government resources to contact if a company believes that a ransom payment may involve a nexus to a sanctioned entity or group. Although it will be viewed on a case-by-case basis, in light of the advisory’s clear focus on working closely with law enforcement, reliance on the blogosphere is doubly risky when concrete information may be secured from the FBI.

Moving Forward

We do not foresee a lot of changes in the way our team approaches the response to ransomware matters. Overall, the advisory reinforces points that we have always understood are important. Companies should rely on experts to assist with their due diligence and work with the FBI. Experience in incident response is key, and your counsel should be an informed, confident partner as you navigate this rapidly evolving area.

Cyber insurers are mentioned in the alert. Carriers may interpret the guidance differently, especially as related to “pay on behalf of” policies. Companies should work with their broker to determine if there are any process changes.

[1] We have helped companies respond to more than 6,000 potential incidents. This experience enables us to triage the underlying issue, provide recommendations for a preliminary response and project what the organization is going to face in the coming days, weeks and months so informed decisions can be made. We are able to streamline the engagement and deploy resources to manage the critical path of the response to an incident.