US Gov’t Again Threatens to Prosecute Those Who Pay Ransom
On September 21, 2021, the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) once again threatened sanctions against companies for paying ransom in the event that their data or systems were hijacked by hackers.
In a new advisory, the federal agency noted that paying ransom strengthens adversaries, encourages more ransomware attacks and facilitates future attacks. It allows evildoers to profit and “advance their illicit aims” and fund activities that are “adverse to the national security and foreign policy objectives” of the United States. The advisory notes that the government “strongly discourages” the payment or cyber ransom or extortion demands.
But the advisory goes beyond “strongly discouraging” the payment of ransom. It notes that payment of ransom (or extortion) may violate laws like the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). These statutes prohibit “U.S. persons” (U.S. citizens, nationals or corporations) from engaging in financial transactions (including paying cryptocurrency ransom) with people or entities who are listed either on U.S. or international sanctions registries. These include what are called “specially designated nationals and blocked persons” whose names (or in some cases, IP addresses or crypto wallet addresses) appear on the so-called SDN list) or engaging in financial transactions in a prohibited country like Cuba, Crimea, Iran, North Korea or Syria. While the sanctions focus on “U.S. persons,” they apply to anyone who “causes” a U.S. person to violate the embargo or sanctions.
But when a victim of ransomware or extortion pays the ransom, they are typically not “knowingly” violating the sanctions regime. In fact, not only do they not know the identity of the person they are paying, in almost all cases, the identity is unknowable. They can (and indeed are required to) check the crypto wallet address against the SDN list, and may also take other actions to see if the ransom, extortion or payment is connected with prohibited countries like North Korea. But at the end of the day, in almost all cases, they cannot know where the money is going. They just want their data back. They did not act in knowing violation of the OFAC restrictions, so they are good, right? Not so fast.
The OFAC advisory notes “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited…”
So, not only can you be sanctioned for being willfully blind, but you can also be sanctioned for being fully diligent. The statute imposes strict liability for engaging in a transaction with a prohibited entity (even if you did not know you were doing it). What’s even worse, sanctions can also be applied to your insurance agent or insurer, forensic company or law firm for “facilitating” the sanctionable payments. You can apply for an OFAC license to permit the transaction, but to do that you have to tell OFAC the identity of the party with which you seek to engage in the transaction—something you don’t know.
Of course, the U.S. Treasury Department has excellent advice for avoiding the problem of having to pay a ransom. Don’t get hit by ransomware. Jeez! Why didn’t I think of that?
The Treasury Department recommends that companies reduce their risk by adopting or improving cybersecurity practices, such as those suggested by the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide. They also recommend that you reduce your risk of sanctions by considering whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations like the Bank Secrecy Act, Know Your Customer (KYC) or Anti-Money Laundering (AML) regulations. In other words, don’t violate the sanctions regime. Duh.
In addition, the Treasury Department suggests that it might not sanction entities that report ransomware attacks to “appropriate U.S. government agencies” and continue to cooperate with OFAC, law enforcement and other relevant agencies. Also, it helps if you turn yourself in for violating the OFAC regulations that you didn’t know you violated.
Again, you could ask OFAC or law enforcement for “permission” to pay the ransom, but they won’t give you permission. But they will sanction you if you pay it. As the Church Lady famously said, “Isn’t that special?”
The OFAC notice is more of the same from the government. People demand ransoms because that’s how they can make money. If nobody paid a ransom, then ransomware would stop because it’s not profitable. So let’s start prosecuting those who pay ransom to get their own data back. Sure, why not?
At the same time, when the government successfully recovered the ransomware keys used in the recent REvil attacks, they waited weeks before they provided the decryption keys to victims. So you can’t unlock, you can’t prevent and you can’t pay.
Paying a ransom is never ideal, and it is often the last resort. Companies hit with ransomware should work closely with their knowledgeable cyber counsel to determine not only whether to pay a ransom and, if so, how and how much. Otherwise, they might be sanctioned more than the hacker. Isn’t that special?
