On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.
Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others. Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data. Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany. Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected. In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.
As a result, victims of ransomware attacks often choose to pay the ransom. However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient. Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.
The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks. While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government. This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws. It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.