Ransomware has hit pandemic proportions and there does not seem to be a clear end in sight. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding ransom payments and the risk of sanctions violations associated with such payments.
Ransomware has been around for decades. For many years, ransomware was more of a nuisance issue only involving a small number of computers than a real business disrupter. In recent years, we’ve seen increased sophistication and threat actors increasing the impact of an incident by finding ways to encrypt many devices at the same time and deleting or encrypting backup files, too. Additionally, many of the ransomware threat actors are exfiltrating data before spreading ransomware. Thus, even if the company can restore data from backups it still faces the extortion component.
BakerHostetler’s Digital Assets and Data Management group produces a yearly report that provides statistics and insights based on the data security incidents we worked on over the prior year. This year’s Report analyzes the more than 1,000 incidents we worked on in 2019. 24% of our 2019 incidents were ransomware. In 2018, the average ransom amount was $28,920. In 2019, the average ransom amount increased to $302,539. Ransom demands have continued to grow in 2020, and as our next report will reflect, we are seeing demands in excess of $50 million. Exfiltration is an issue in a growing number of incidents (whereas only 6% of ransomware incidents in 2019 involved notification obligations being triggered).
One of the initial questions that our clients ask us is whether companies actually pay ransom and whether there is any prohibition against making payments. Yes, companies pay ransom. And, we are seeing payments made on a daily basis – that’s how big this issue is. Before a payment is made, the company generally retains a third-party to conduct due diligence to ensure that the payment is appropriate, i.e., that it is not being made to a sanctioned organization or a group reasonably suspected of being tied to a sanctioned organization. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated.
Questions have always been raised about who these threat actors are and where they are located. Attribution is extremely difficult and always has been in the cybersecurity space. This issue is not unique to ransomware, but the frequently opaque identity of these criminals does raise the potential for sanctions compliance concerns. In this regard, we have recently seen bloggers and others interested in cybersecurity speculating about connections between various ransomware variants and specific groups. Speculation by these bloggers cannot be relied upon and is insufficient to support or cast definitive doubt on the appropriateness of a payment, although the existence of such speculation cannot be ignored. Rather, companies can and must rely on their own thorough due diligence efforts and risk-based compliance programs to vet payees and resolve potential red flags. The OFAC advisory describes and supports steps that companies are already taking as part of this process.
What Does the Advisory Say?
The OFAC advisory reinforces points we already know:
- The U.S. Government disfavors payments of ransom, but there is no general ban.
- Payments to sanctioned individuals and/or entities, however, can result in significant penalties and applications for licenses to make such payments will be handled with a presumption of denial, which may be based on U.S. policy interests alone.
- Cooperating with law enforcement is critical. The U.S. Government benefits because it can gather more information about these threat actors to help with prosecution. Although our clients are generally working with law enforcement, we are hearing that many companies are not reporting these incidents to the FBI. The advisory makes clear that OFAC is pushing companies to work with the FBI more closely. The benefit to the company is the threat information sharing, which could also include information about the origin of the threat actor. In addition, OFAC has identified early and continuing cooperation with law enforcement as a “significant mitigating” factor in an enforcement context.
OFAC’s advisory did not include:
- Imposition of sanctions against new groups or malware variants or new additions to OFAC’s list of sanctioned persons.
- A discussion of (or even vague reference to) new groups or malware variants.
- A requirement to go to OFAC in every ransomware incident.
OFAC’s role is restricted to cases involving U.S. persons or financial institutions and cyber actors with a sanctions nexus, a point that OFAC also emphasized a decade ago when the shipping industry was plagued with a rash of ransom demands by Somali pirates. The OFAC guidance identifies additional U.S. Government resources to contact if a company believes that a ransom payment may involve a nexus to a sanctioned entity or group. Although it will be viewed on a case-by-case basis, in light of the advisory’s clear focus on working closely with law enforcement, reliance on the blogosphere is doubly risky when concrete information may be secured from the FBI.
We do not foresee a lot of changes in the way our team approaches the response to ransomware matters. Overall, the advisory reinforces points that we have always understood are important. Companies should be mindful of the need for sanctions compliance and rely on experts to assist with their due diligence and work with the FBI. Experience in incident response and sanctions compliance is key, and your counsel should be an informed, confident partner as you navigate this rapidly evolving area.
Cyber insurers are mentioned in the alert. Carriers may interpret the guidance differently, especially as related to “pay on behalf of” policies. Companies should work with their broker to determine if there are any process changes.