The U.S. Department of Treasury released an advisory today highlighting that ransomware payments could violate their Office of Foreign Assets Control (OFAC) sanction controls. This advisory drastically changes the dynamic for how companies are managing ransomware response including the payment of ransoms directly or through third party negotiators.

This is an advisory that every CISO, corporate executive, and board of directors member needs to read and understand to prevent criminal liability.

According to the Advisory:

• Between 2018-2919 there was a 37 percent annual increase in reported ransomware cases
• During that same period, ransomware associated losses increased by 147percent
• Ransomware is impacting large corporations but small and medium size companies are also experiencing significant attacks.
• OFAC has designated several cybercriminal organizations associated with ransomware as being subject to U.S. sanctions, including SamSam, WannaCry, Cryptolocker, and Dridex.
• Any ransomware payment to a sanction designated entity is subject to sanction enforcement actions that could include fines and criminal penalties.
• Lack of knowledge is not an allowable defense and U.S. persons could be subject to civil action for ransomware payments even if they didn’t know the ransomware payment violated U.S. sanctions.

The Department of Treasury is clearly stating that ransomware payments with a sanctions nexus impact U.S. national security. U.S.persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities.

A risk-based management program for ransomware response is recommended and this includes appropriate controls within companies directly targeted with ransomware, third-party ransomware negotiators, incident response firms, law firms, and financial institutions facilitating ransomware payments.

Companies are expected to obtain appropriate licensing for ransomware payments by reporting the attack early and with the appropriate U.S. government agencies. Detailed guidance is provided in the full advisory in the link below.

OODA Analysis:

This guidance greatly changes the table-stakes for incident response activities associated with ransomware attacks. Given the time-based nature of ransomware payment demands, organizations need to develop appropriate plans, including licensure and disclosure guidelines in advance and ensure that any response complies with U.S. sanctions expectations.

Full Advisory – OFAC Ransomware Advisory

About the Author

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see www.devost.net