Ransomware attacks are on the rise, with the Federal Bureau of Investigation reporting a nearly 21% increase in reported ransomware cases and a 225% growth in associated losses from 2019-2020.  On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory to highlight the sanctions risks associated with ransomware payments to malicious cyber actors and proactive steps that companies can take to mitigate those risks.

OFAC has designated some malicious cyber actors in its cyber-related sanctions program and other sanctions programs to discourage payments of cyber ransom or extortion demands to these parties.

According to the advisory, U.S. persons are generally prohibited from engaging in transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by country or region embargoes. Furthermore, any transaction that may violate the International Emergency Economic Powers Act (IEEPA), including a transaction by a non-U.S. person that causes a U.S. person to violate an IEEPA-based sanction prohibition, is also banned.

In response to sanctions violations, OFAC may hold such persons civilly liable even if they were unaware that the transaction was prohibited under sanctions laws and OFAC’s regulations at the time. The OFAC’s Economic Sanctions Enforcement Guidelines describe the department’s enforcement policies, as well as mitigating factors that may be considered by OFAC, including:

  1. meaningful measures taken to improve cybersecurity practices and reduce the risk of extortion by sanctioned actors; and
  2. the reporting of ransomware attacks to government agencies and cooperation with law enforcement.

If those factors are present, OFAC’s resolution could be limited to a “no action” or a “cautionary” letter, rather than a public response. Businesses that fall under OFAC’s regulation should aim to revise their cybersecurity incident response plans to better align with the recommendations in the updated advisory. 

Summary By: Imtiaz Karamat


21 10 13

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.