Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments - DEPARTMENT OF THE TREASURY
DEPARTMENT OF THE TREASURY
WASHINGTON, D.C.
Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments1
Date: September 21, 2021
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this
updated advisory to highlight the sanctions risks associated with ransomware payments in
connection with malicious cyber-enabled activities and the proactive steps companies can take to
mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in
any related enforcement action.
2
Demand for ransomware payments has increased during the COVID-19 pandemic as cyber
actors target online systems that U.S. persons rely on to continue conducting business.
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including
financial institutions, cyber insurance firms, and companies involved in digital forensics and
incident response, not only encourage future ransomware payment demands but also may risk
violating OFAC regulations. The U.S. government strongly discourages all private companies
and citizens from paying ransom or extortion demands and recommends focusing on
strengthening defensive and resilience measures to prevent and protect against ransomware
attacks.
This advisory describes the potential sanctions risks associated with making and facilitating
ransomware payments and provides information for contacting relevant U.S. government
agencies, including OFAC if there is any reason to suspect the cyber actor demanding
ransomware payment may be sanctioned or otherwise have a sanctions nexus.3
Background on Ransomware Attacks
Ransomware is a form of malicious software (“malware”) designed to block access to a
computer system or data, often by encrypting data or programs on information technology
systems to extort ransom payments from victims in exchange for decrypting the information and
restoring victims’ access to their systems or data. In some cases, in addition to the attack, cyber
actors threaten to publicly disclose victims’ sensitive files. The cyber actors then demand a
1 This advisory is explanatory only and does not have the force of law. It does not modify statutory authorities,
Executive Orders, or regulations. It is not intended to be, nor should it be interpreted as, comprehensive, or as
imposing requirements under U.S. law, or otherwise addressing any requirements under applicable law. Please see
the legally binding provisions cited for relevant legal authorities.
2 This advisory updates and supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware
Payments of October 1, 2020.
3 This advisory is limited to sanctions risks related to ransomware and is not intended to address issues related to
information security practitioners’ cyber threat intelligence-gathering efforts more broadly. For guidance related to
those activities, see guidance from the U.S. Department of Justice, Legal Considerations when Gathering Online
Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020), available at
https://www.justice.gov/criminal-ccips/page/file/1252341/download.
-2-
ransomware payment, usually through virtual currency, in exchange for a key to decrypt the files
and restore victims’ access to systems or data.
In recent years, ransomware attacks have become more focused, sophisticated, costly, and
numerous. According to the Federal Bureau of Investigation (FBI), there was a nearly 21
percent increase in reported ransomware cases and a 225 percent increase in associated losses
from 2019 to 2020.
4
Ransomware attacks are carried out against private and governmental
entities of all sizes and in all sectors, including organizations operating critical infrastructure,
such as hospitals. Often attacks also take place against vulnerable entities such as school
districts and smaller businesses, in part due to the attacker’s assumption that such victims may
have fewer resources to invest in cyber protection and will make quick payment to restore
services.
OFAC Designations of Malicious Cyber Actors
OFAC has designated numerous malicious cyber actors under its cyber-related sanctions
program and other sanctions programs, including perpetrators of ransomware attacks and those
who facilitate ransomware transactions. For example, starting in 2013, a ransomware variant
known as Cryptolocker was used to infect more than 234,000 computers, approximately half of
which were in the United States.5
OFAC designated the developer of Cryptolocker, Evgeniy
Mikhailovich Bogachev, in December 2016.6
Starting in late 2015 and lasting approximately 34 months, SamSam ransomware was used to
target mostly U.S. government institutions and companies, including the City of Atlanta, the
Colorado Department of Transportation, and a large healthcare company. In November 2018,
OFAC designated two Iranians for providing material support to a malicious cyber activity and
identified two virtual currency addresses used to funnel SamSam ransomware proceeds.
7
In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers
in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal
organization sponsored by North Korea. OFAC designated the Lazarus Group and two subgroups, Bluenoroff and Andariel, in September 2019.8
4 Compare Federal Bureau of Investigation, Internet Crime Complaint Center, 2019 Internet Crime Report, available
at https://pdf.ic3.gov/2019_IC3Report.pdf, with Federal Bureau of Investigation, Internet Crime Complaint Center,
2020 Internet Crime Report, available at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.
5 Press Release, U.S. Dept. of Justice, U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and
“Cryptolocker” Ransomware, Charges Botnet Administrator (June 2, 2014), available at
https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolockerransomware.
6 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Two Individuals for Malicious Cyber-Enabled
Activities (Dec. 29, 2016), available at https://www.treasury.gov/press-center/press-releases/Pages/jl0693.aspx.
7 Press Release, U.S. Dept. of the Treasury, Treasury Designates Iran-Based Financial Facilitators of Malicious
Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses (Nov. 28, 2018), available at
https://home.treasury.gov/news/press-releases/sm556.
8 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions North Korean State-Sponsored Malicious Cyber
Groups (Sept. 13, 2019), available at https://home.treasury.gov/news/press-releases/sm774.
-3-
Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex
malware to infect computers and harvest login credentials from hundreds of banks and financial
institutions in over 40 countries, causing more than $100 million in theft. In December 2019,
OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and
distribution of the Dridex malware.
9
In September 2021, OFAC designated SUEX OTC, S.R.O. (“SUEX”), a virtual currency
exchange, for its part in facilitating financial transactions for ransomware actors, involving illicit
proceeds from at least eight ransomware variants. Analysis of known SUEX transactions
showed that over 40% of SUEX’s known transaction history was associated with illicit actors.10
OFAC has imposed, and will continue to impose, sanctions on these actors and others who
materially assist, sponsor, or provide financial, material, or technological support for these
activities.
11
Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may
enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
For example, ransomware payments made to sanctioned persons or to comprehensively
sanctioned jurisdictions could be used to fund activities adverse to the national security and
foreign policy objectives of the United States. Such payments not only encourage and enrich
malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no
guarantee that companies will regain access to their data or be free from further attacks
themselves. For these reasons, the U.S. government strongly discourages the payment of cyber
ransom or extortion demands.
Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC Regulations
Under the authority of the International Emergency Economic Powers Act (IEEPA) or the
Trading with the Enemy Act (TWEA),
12 U.S. persons are generally prohibited from engaging in
transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those
covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of
9 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group
Behind Dridex Malware (Dec. 5, 2019), available at https://home.treasury.gov/news/press-releases/sm845.
10 Press Release, U.S. Dept. of the Treasury, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21,
2021), available at https://home.treasury.gov/news/press-releases/jy0364.
11 Federal charges have also been brought in connection with each of the aforementioned ransomware schemes. See,
e.g., Press Release, U.S. Dept. of Justice, Russian National Charged with Decade-Long Series of Hacking and Bank
Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in
Deployment of “Bugat” Malware (Dec. 5, 2019), available at https://www.justice.gov/opa/pr/russian-nationalcharged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens; and Press Release U.S. Dept. of
Justice, Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and
Financial Crimes Across the Globe (Feb. 17, 2021), available at https://www.justice.gov/opa/pr/three-north-koreanmilitary-hackers-indicted-wide-ranging-scheme-commit-cyberattacksand#:~:text=A%20federal%20indictment%20unsealed%20today,and%20companies%2C%20to%20create%20.
12 50 U.S.C. §§ 4301–41; 50 U.S.C. §§ 1701–06.
-4-
Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation
under IEEPA, including a transaction by a non-U.S. person that causes a U.S. person to violate
any IEEPA-based sanctions prohibitions, is also prohibited. U.S. persons, wherever located, are
also generally prohibited from facilitating actions of non-U.S. persons that could not be directly
performed by U.S. persons due to U.S. sanctions regulations.
OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a
person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or
have reason to know that it was engaging in a transaction that was prohibited under sanctions
laws and regulations administered by OFAC. OFAC’s Economic Sanctions Enforcement
Guidelines (Enforcement Guidelines)13 provide more information regarding OFAC’s
enforcement of U.S. economic sanctions, including the factors that OFAC generally considers
when determining an appropriate response to an apparent violation. Enforcement responses
range from non-public responses, including issuing a No Action Letter or a Cautionary Letter, to
public responses, such as civil monetary penalties.
Sanctions Compliance Program and Defensive/Resilience Measures
Under OFAC’s Enforcement Guidelines, the existence, nature, and adequacy of a sanctions
compliance program is a factor that OFAC may consider when determining an appropriate
enforcement response to an apparent violation of U.S. sanctions laws or regulations.
As a general matter, OFAC encourages financial institutions and other companies to implement a
risk-based compliance program to mitigate exposure to sanctions-related violations.
14
This also
applies to companies that engage with victims of ransomware attacks, such as those involved in
providing cyber insurance, digital forensics and incident response, and financial services that
may involve processing ransom payments (including depository institutions and money services
businesses). In particular, the sanctions compliance programs of these companies should account
for the risk that a ransomware payment may involve an SDN or blocked person, or a
comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware
payments on behalf of victims should also consider whether they have regulatory obligations
under Financial Crimes Enforcement Network (FinCEN) regulations.15
Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or
improving cybersecurity practices, such as those highlighted in the Cybersecurity and
Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide,
16 will be
13 31 C.F.R. part 501, appx. A.
14 To assist the public in developing an effective sanctions compliance program, in 2019, OFAC published A
Framework for OFAC Compliance Commitments, intended to provide organizations with a framework for the five
essential components of a risk-based sanctions compliance program. The Framework is available at
https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
15 See FinCEN Guidance, FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to
Facilitate Ransom Payments, October 1, 2020, for applicable anti-money laundering obligations related to financial
institutions in the ransomware context.
16 See Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020,
https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf.
-5-
considered a significant mitigating factor in any OFAC enforcement response.
17
Such steps
could include maintaining offline backups of data, developing incident response plans, instituting
cybersecurity training, regularly updating antivirus and anti-malware software, and employing
authentication protocols, among others.
Cooperation with OFAC and Law Enforcement
Another factor that OFAC will consider under the Enforcement Guidelines is the reporting of
ransomware attacks to appropriate U.S. government agencies and the nature and extent of a
subject person’s cooperation with OFAC, law enforcement, and other relevant agencies,
including whether an apparent violation of U.S. sanctions is voluntarily self-disclosed. In the
case of ransomware payments that may have a sanctions nexus, OFAC will consider a
company’s self-initiated and complete report of a ransomware attack to law enforcement or other
relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s
Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible
after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor
in determining an appropriate enforcement response. OFAC will also consider a company’s full
and ongoing cooperation with law enforcement both during and after a ransomware attack —
e.g., providing all relevant information such as technical details, ransom payment demand, and
ransom payment instructions as soon as possible — to be a significant mitigating factor.
While the resolution of each potential enforcement matter depends on the specific facts and
circumstances, OFAC would be more likely to resolve apparent violations involving ransomware
attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the
affected party took the mitigating steps described above, particularly reporting the ransomware
attack to law enforcement as soon as possible and providing ongoing cooperation.
OFAC Licensing Policy
Ransomware payments benefit illicit actors and can undermine the national security and foreign
policy objectives of the United States. For this reason, license applications involving
ransomware payments demanded as a result of malicious cyber-enabled activities will continue
to be reviewed by OFAC on a case-by-case basis with a presumption of denial.
Victims of Ransomware Attacks Should Contact Relevant Government Agencies
OFAC strongly encourages all victims and those involved with addressing ransomware attacks to
report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint
Center, or their local U.S. Secret Service office as soon as possible. Victims should also report
ransomware attacks and payments to Treasury’s OCCIP and contact OFAC if there is any reason
to suspect a potential sanctions nexus with regard to a ransomware payment. As noted, in doing
so victims can receive significant mitigation from OFAC when determining an appropriate
enforcement response in the event a sanctions nexus is found in connection with a ransomware
payment.
17 See the U.S. government's website, https://www.cisa.gov/stopransomware, for additional guidance.
-6-
By reporting ransomware attacks as soon as possible, victims may also increase the likelihood of
recovering access to their data through other means, such as alternative decryption tools, and in
some circumstances may be able to recover some of the ransomware payment. Additionally,
reporting ransomware attacks and payments provides critical information needed to track cyber
actors, hold them accountable, and prevent or disrupt future attacks.
Contact Information for U.S. Department of Treasury Agencies:
• U.S. Department of the Treasury’s Office of Foreign Assets Control
o Sanctions Compliance and Evaluation Division: [email protected];
(202) 622-2490 / (800) 540-6322
o Licensing Division: https://licensing.ofac.treas.gov/; (202) 622-2480
• U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure
Protection (OCCIP)
o [email protected]; (202) 622-3000
• U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN)
o FinCEN Regulatory Support Section: [email protected]
Contact Information for Other Relevant U.S. Government Agencies:
• Federal Bureau of Investigation Cyber Task Force
o https://www.ic3.gov/default.aspx; www.fbi.gov/contact-us/field
• U.S. Secret Service Cyber Fraud Task Force
o https://secretservice.gov/contact/field-offices
• Cybersecurity and Infrastructure Security Agency
o https://us-cert.cisa.gov/forms/report
• Homeland Security Investigations Field Office
o https://www.ice.gov/contact/hsi
Ransomware Prevention Resources:
• U.S. Government StopRansomWare.gov Website
o https://www.cisa.gov/stopransomware
• CISA Ransomware Guide
o https://www.cisa.gov/stopransomware/ransomware-guide
If you have any questions regarding the scope of any sanctions requirements described in this
advisory, please contact OFAC’s Sanctions Compliance and Evaluation Division at (800) 540-
6322 or (202) 622-2490.
WASHINGTON, D.C.
Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments1
Date: September 21, 2021
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this
updated advisory to highlight the sanctions risks associated with ransomware payments in
connection with malicious cyber-enabled activities and the proactive steps companies can take to
mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in
any related enforcement action.
2
Demand for ransomware payments has increased during the COVID-19 pandemic as cyber
actors target online systems that U.S. persons rely on to continue conducting business.
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including
financial institutions, cyber insurance firms, and companies involved in digital forensics and
incident response, not only encourage future ransomware payment demands but also may risk
violating OFAC regulations. The U.S. government strongly discourages all private companies
and citizens from paying ransom or extortion demands and recommends focusing on
strengthening defensive and resilience measures to prevent and protect against ransomware
attacks.
This advisory describes the potential sanctions risks associated with making and facilitating
ransomware payments and provides information for contacting relevant U.S. government
agencies, including OFAC if there is any reason to suspect the cyber actor demanding
ransomware payment may be sanctioned or otherwise have a sanctions nexus.3
Background on Ransomware Attacks
Ransomware is a form of malicious software (“malware”) designed to block access to a
computer system or data, often by encrypting data or programs on information technology
systems to extort ransom payments from victims in exchange for decrypting the information and
restoring victims’ access to their systems or data. In some cases, in addition to the attack, cyber
actors threaten to publicly disclose victims’ sensitive files. The cyber actors then demand a
1 This advisory is explanatory only and does not have the force of law. It does not modify statutory authorities,
Executive Orders, or regulations. It is not intended to be, nor should it be interpreted as, comprehensive, or as
imposing requirements under U.S. law, or otherwise addressing any requirements under applicable law. Please see
the legally binding provisions cited for relevant legal authorities.
2 This advisory updates and supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware
Payments of October 1, 2020.
3 This advisory is limited to sanctions risks related to ransomware and is not intended to address issues related to
information security practitioners’ cyber threat intelligence-gathering efforts more broadly. For guidance related to
those activities, see guidance from the U.S. Department of Justice, Legal Considerations when Gathering Online
Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020), available at
https://www.justice.gov/criminal-ccips/page/file/1252341/download.
-2-
ransomware payment, usually through virtual currency, in exchange for a key to decrypt the files
and restore victims’ access to systems or data.
In recent years, ransomware attacks have become more focused, sophisticated, costly, and
numerous. According to the Federal Bureau of Investigation (FBI), there was a nearly 21
percent increase in reported ransomware cases and a 225 percent increase in associated losses
from 2019 to 2020.
4
Ransomware attacks are carried out against private and governmental
entities of all sizes and in all sectors, including organizations operating critical infrastructure,
such as hospitals. Often attacks also take place against vulnerable entities such as school
districts and smaller businesses, in part due to the attacker’s assumption that such victims may
have fewer resources to invest in cyber protection and will make quick payment to restore
services.
OFAC Designations of Malicious Cyber Actors
OFAC has designated numerous malicious cyber actors under its cyber-related sanctions
program and other sanctions programs, including perpetrators of ransomware attacks and those
who facilitate ransomware transactions. For example, starting in 2013, a ransomware variant
known as Cryptolocker was used to infect more than 234,000 computers, approximately half of
which were in the United States.5
OFAC designated the developer of Cryptolocker, Evgeniy
Mikhailovich Bogachev, in December 2016.6
Starting in late 2015 and lasting approximately 34 months, SamSam ransomware was used to
target mostly U.S. government institutions and companies, including the City of Atlanta, the
Colorado Department of Transportation, and a large healthcare company. In November 2018,
OFAC designated two Iranians for providing material support to a malicious cyber activity and
identified two virtual currency addresses used to funnel SamSam ransomware proceeds.
7
In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers
in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal
organization sponsored by North Korea. OFAC designated the Lazarus Group and two subgroups, Bluenoroff and Andariel, in September 2019.8
4 Compare Federal Bureau of Investigation, Internet Crime Complaint Center, 2019 Internet Crime Report, available
at https://pdf.ic3.gov/2019_IC3Report.pdf, with Federal Bureau of Investigation, Internet Crime Complaint Center,
2020 Internet Crime Report, available at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.
5 Press Release, U.S. Dept. of Justice, U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and
“Cryptolocker” Ransomware, Charges Botnet Administrator (June 2, 2014), available at
https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolockerransomware.
6 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Two Individuals for Malicious Cyber-Enabled
Activities (Dec. 29, 2016), available at https://www.treasury.gov/press-center/press-releases/Pages/jl0693.aspx.
7 Press Release, U.S. Dept. of the Treasury, Treasury Designates Iran-Based Financial Facilitators of Malicious
Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses (Nov. 28, 2018), available at
https://home.treasury.gov/news/press-releases/sm556.
8 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions North Korean State-Sponsored Malicious Cyber
Groups (Sept. 13, 2019), available at https://home.treasury.gov/news/press-releases/sm774.
-3-
Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex
malware to infect computers and harvest login credentials from hundreds of banks and financial
institutions in over 40 countries, causing more than $100 million in theft. In December 2019,
OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and
distribution of the Dridex malware.
9
In September 2021, OFAC designated SUEX OTC, S.R.O. (“SUEX”), a virtual currency
exchange, for its part in facilitating financial transactions for ransomware actors, involving illicit
proceeds from at least eight ransomware variants. Analysis of known SUEX transactions
showed that over 40% of SUEX’s known transaction history was associated with illicit actors.10
OFAC has imposed, and will continue to impose, sanctions on these actors and others who
materially assist, sponsor, or provide financial, material, or technological support for these
activities.
11
Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may
enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
For example, ransomware payments made to sanctioned persons or to comprehensively
sanctioned jurisdictions could be used to fund activities adverse to the national security and
foreign policy objectives of the United States. Such payments not only encourage and enrich
malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no
guarantee that companies will regain access to their data or be free from further attacks
themselves. For these reasons, the U.S. government strongly discourages the payment of cyber
ransom or extortion demands.
Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC Regulations
Under the authority of the International Emergency Economic Powers Act (IEEPA) or the
Trading with the Enemy Act (TWEA),
12 U.S. persons are generally prohibited from engaging in
transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those
covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of
9 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group
Behind Dridex Malware (Dec. 5, 2019), available at https://home.treasury.gov/news/press-releases/sm845.
10 Press Release, U.S. Dept. of the Treasury, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21,
2021), available at https://home.treasury.gov/news/press-releases/jy0364.
11 Federal charges have also been brought in connection with each of the aforementioned ransomware schemes. See,
e.g., Press Release, U.S. Dept. of Justice, Russian National Charged with Decade-Long Series of Hacking and Bank
Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in
Deployment of “Bugat” Malware (Dec. 5, 2019), available at https://www.justice.gov/opa/pr/russian-nationalcharged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens; and Press Release U.S. Dept. of
Justice, Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and
Financial Crimes Across the Globe (Feb. 17, 2021), available at https://www.justice.gov/opa/pr/three-north-koreanmilitary-hackers-indicted-wide-ranging-scheme-commit-cyberattacksand#:~:text=A%20federal%20indictment%20unsealed%20today,and%20companies%2C%20to%20create%20.
12 50 U.S.C. §§ 4301–41; 50 U.S.C. §§ 1701–06.
-4-
Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation
under IEEPA, including a transaction by a non-U.S. person that causes a U.S. person to violate
any IEEPA-based sanctions prohibitions, is also prohibited. U.S. persons, wherever located, are
also generally prohibited from facilitating actions of non-U.S. persons that could not be directly
performed by U.S. persons due to U.S. sanctions regulations.
OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a
person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or
have reason to know that it was engaging in a transaction that was prohibited under sanctions
laws and regulations administered by OFAC. OFAC’s Economic Sanctions Enforcement
Guidelines (Enforcement Guidelines)13 provide more information regarding OFAC’s
enforcement of U.S. economic sanctions, including the factors that OFAC generally considers
when determining an appropriate response to an apparent violation. Enforcement responses
range from non-public responses, including issuing a No Action Letter or a Cautionary Letter, to
public responses, such as civil monetary penalties.
Sanctions Compliance Program and Defensive/Resilience Measures
Under OFAC’s Enforcement Guidelines, the existence, nature, and adequacy of a sanctions
compliance program is a factor that OFAC may consider when determining an appropriate
enforcement response to an apparent violation of U.S. sanctions laws or regulations.
As a general matter, OFAC encourages financial institutions and other companies to implement a
risk-based compliance program to mitigate exposure to sanctions-related violations.
14
This also
applies to companies that engage with victims of ransomware attacks, such as those involved in
providing cyber insurance, digital forensics and incident response, and financial services that
may involve processing ransom payments (including depository institutions and money services
businesses). In particular, the sanctions compliance programs of these companies should account
for the risk that a ransomware payment may involve an SDN or blocked person, or a
comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware
payments on behalf of victims should also consider whether they have regulatory obligations
under Financial Crimes Enforcement Network (FinCEN) regulations.15
Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or
improving cybersecurity practices, such as those highlighted in the Cybersecurity and
Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide,
16 will be
13 31 C.F.R. part 501, appx. A.
14 To assist the public in developing an effective sanctions compliance program, in 2019, OFAC published A
Framework for OFAC Compliance Commitments, intended to provide organizations with a framework for the five
essential components of a risk-based sanctions compliance program. The Framework is available at
https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
15 See FinCEN Guidance, FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to
Facilitate Ransom Payments, October 1, 2020, for applicable anti-money laundering obligations related to financial
institutions in the ransomware context.
16 See Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020,
https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf.
-5-
considered a significant mitigating factor in any OFAC enforcement response.
17
Such steps
could include maintaining offline backups of data, developing incident response plans, instituting
cybersecurity training, regularly updating antivirus and anti-malware software, and employing
authentication protocols, among others.
Cooperation with OFAC and Law Enforcement
Another factor that OFAC will consider under the Enforcement Guidelines is the reporting of
ransomware attacks to appropriate U.S. government agencies and the nature and extent of a
subject person’s cooperation with OFAC, law enforcement, and other relevant agencies,
including whether an apparent violation of U.S. sanctions is voluntarily self-disclosed. In the
case of ransomware payments that may have a sanctions nexus, OFAC will consider a
company’s self-initiated and complete report of a ransomware attack to law enforcement or other
relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s
Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible
after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor
in determining an appropriate enforcement response. OFAC will also consider a company’s full
and ongoing cooperation with law enforcement both during and after a ransomware attack —
e.g., providing all relevant information such as technical details, ransom payment demand, and
ransom payment instructions as soon as possible — to be a significant mitigating factor.
While the resolution of each potential enforcement matter depends on the specific facts and
circumstances, OFAC would be more likely to resolve apparent violations involving ransomware
attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the
affected party took the mitigating steps described above, particularly reporting the ransomware
attack to law enforcement as soon as possible and providing ongoing cooperation.
OFAC Licensing Policy
Ransomware payments benefit illicit actors and can undermine the national security and foreign
policy objectives of the United States. For this reason, license applications involving
ransomware payments demanded as a result of malicious cyber-enabled activities will continue
to be reviewed by OFAC on a case-by-case basis with a presumption of denial.
Victims of Ransomware Attacks Should Contact Relevant Government Agencies
OFAC strongly encourages all victims and those involved with addressing ransomware attacks to
report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint
Center, or their local U.S. Secret Service office as soon as possible. Victims should also report
ransomware attacks and payments to Treasury’s OCCIP and contact OFAC if there is any reason
to suspect a potential sanctions nexus with regard to a ransomware payment. As noted, in doing
so victims can receive significant mitigation from OFAC when determining an appropriate
enforcement response in the event a sanctions nexus is found in connection with a ransomware
payment.
17 See the U.S. government's website, https://www.cisa.gov/stopransomware, for additional guidance.
-6-
By reporting ransomware attacks as soon as possible, victims may also increase the likelihood of
recovering access to their data through other means, such as alternative decryption tools, and in
some circumstances may be able to recover some of the ransomware payment. Additionally,
reporting ransomware attacks and payments provides critical information needed to track cyber
actors, hold them accountable, and prevent or disrupt future attacks.
Contact Information for U.S. Department of Treasury Agencies:
• U.S. Department of the Treasury’s Office of Foreign Assets Control
o Sanctions Compliance and Evaluation Division: [email protected];
(202) 622-2490 / (800) 540-6322
o Licensing Division: https://licensing.ofac.treas.gov/; (202) 622-2480
• U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure
Protection (OCCIP)
o [email protected]; (202) 622-3000
• U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN)
o FinCEN Regulatory Support Section: [email protected]
Contact Information for Other Relevant U.S. Government Agencies:
• Federal Bureau of Investigation Cyber Task Force
o https://www.ic3.gov/default.aspx; www.fbi.gov/contact-us/field
• U.S. Secret Service Cyber Fraud Task Force
o https://secretservice.gov/contact/field-offices
• Cybersecurity and Infrastructure Security Agency
o https://us-cert.cisa.gov/forms/report
• Homeland Security Investigations Field Office
o https://www.ice.gov/contact/hsi
Ransomware Prevention Resources:
• U.S. Government StopRansomWare.gov Website
o https://www.cisa.gov/stopransomware
• CISA Ransomware Guide
o https://www.cisa.gov/stopransomware/ransomware-guide
If you have any questions regarding the scope of any sanctions requirements described in this
advisory, please contact OFAC’s Sanctions Compliance and Evaluation Division at (800) 540-
6322 or (202) 622-2490.
