On October 1, 2020, the US Treasury Department issued important guidance on what victims of ransomware attacks, as well as financial institutions (particularly money services businesses (“MSBs”) and other companies that facilitate such payments), should consider when confronted with potential ransomware demands. First, the Office of Foreign Assets Control (“OFAC”) issued an advisory that emphasizes the existing sanctions risks associated with making or facilitating ransomware payments on behalf of companies targeted by malicious cyber-enabled activities and indicates the agency’s position with respect to requests to make prohibited payments.1 This guidance has important implications for businesses across economic sectors that face ransomware demands and the complex legal and practical issues that a ransom or extortion situation can entail. Second, the Financial Crimes Enforcement Network (“FinCEN”) issued an advisory that provides information on trends, typologies and red flags that may be indicative of ransomware payments and related money laundering. Importantly, the advisory provides specific direction with respect to information that financial institutions should include in Suspicious Activity Reports (“SARs”) relating to ransomware attacks and the application of FinCEN registration requirements to companies facilitating ransomware payments.2
In this Legal Update, we provide background on what ransomware is and describe what these advisories mean for victims of ransomware; financial services institutions; digital forensic, incident response and cyber insurance companies; and other third parties involved in the negotiation, arrangement and facilitation of payments.
Both OFAC and FinCEN maintain regulations relating to malicious cyber activities that should be considered in connection with any response to a ransomware attack. As defined by FinCEN, ransomware is a form of “malicious software (‘malware’) designed to block access to a computer system or data, often by encrypting data or programs on information technology (‘IT’) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.” Victims of ransomware can also face extortionate demands from malicious actors threatening to publicly release sensitive data to which they have gained unauthorized access.
OFAC has “designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.” Notably, OFAC has designated not only individual actors or groups but also specific infrastructure including “digital currency addresses.”3
Financial, healthcare and educational institutions, as well as governmental entities, have increasingly found themselves victims of ransomware attacks in the COVID-19 environment.4 Victims may seek to use financial institutions, particularly MSBs (registered or unregistered), to make ransom payments in response to such attacks.5
The OFAC advisory targets a broad audience that includes not only financial institutions but also companies that are victims of ransomware attacks, as well as any other third party involved in the negotiation or facilitation of payments that involve OFAC-sanctioned targets.
The advisory highlights the many designations that OFAC has made in recent years targeting malicious cyber actors, including perpetrators of ransomware attacks and those who facilitate ransomware transactions and, in some cases, their “digital currency addresses.”6 It also explains the ways in which ransomware payments can harm US national security, including through funneling money to sanctioned entities or to entities in comprehensively sanctioned jurisdictions.
The advisory reiterates the legal prohibitions on US persons with respect to dealings with sanctioned entities or individuals.7 Most notably, US persons “are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (‘persons’) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).”8 US persons are prohibited from engaging in or facilitating any transaction in which targets of OFAC sanctions programs have any direct or indirect interest. As noted in the advisory however, non-US persons may also have potential liability exposure under such sanctions when they engage in any transaction with any US nexus (e.g., causing a US person to violate sanctions).
OFAC emphasizes the strict liability character of the sanctions regime, namely that “a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”9 In this way, OFAC sanctions differ from other legal regimes in which a reason to know of the prohibited nature of the conduct is a predicate to liability; OFAC’s sanctions regulations, by contrast, apply to any transaction with a prohibited party or jurisdiction, even if the parties to the transaction had no basis to know that the party on the other end was sanctioned by OFAC. Ransomware payments run the risk of violating sanctions as, in many cases, the paying individual or entity does not know the identity of the ransom recipient or have much information to determine if that recipient is a sanctioned person or in a jurisdiction subject to comprehensive sanctions. As a practical matter, OFAC closely evaluates the facts and circumstances surrounding violations, and “reason to know” often factors heavily in enforcement decisions, even if it is not an affirmative defense to liability exposure.
The advisory thus encourages cyber insurance providers, cybersecurity incident response firms, financial institutions and all companies “to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.”10 OFAC has been emphasizing the importance of a risk-based OFAC compliance program for many years. The existence and adequacy of a company’s compliance program is an important factor that OFAC “consider[s] when determining an appropriate enforcement response” to a sanctions violation, including one involving a ransom payment.11 The existence of such a program may, in certain circumstances, result in OFAC taking no enforcement action or imposing a lesser penalty in the event of a violation. The advisory also notes that in the context of ransomware sanctions violations, OFAC will “also consider a company’s full and timely cooperation with law enforcement” to be a significant mitigating factor when evaluating an enforcement outcome.
Where a determination is made that licensing is required, the advisory also addresses whether OFAC will issue a license to make a ransomware payment to a sanctioned person. OFAC states that “license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial” (emphasis added).12 While this theoretically leaves open the door to a license (e.g., potentially obtaining a license if, for example, law enforcement wanted a payment made for some other reason), it reflects the longstanding policy against making concessions in ransom situations and signals that such licenses will be rarely, if ever, granted.13 The bottom line from OFAC: To avoid or mitigate an enforcement response, institutions would be well-served to establish a risk-based OFAC compliance program so that they can identify and assess potential sanctions issues involved in ransomware situations and to inform and cooperate with law enforcement where appropriate.
The FinCEN advisory targets a narrower audience, primarily financial institutions, and notes that the processing of ransomware payments is typically a multi-step process that involves at least one depository institution and one or more MSBs. Many ransomware schemes involve convertible virtual currency (“CVC”), which FinCEN describes as the preferred payment method of ransomware perpetrators.
Following the delivery of the ransom demand, a ransomware victim that has decided to pay the threat actor will typically attempt to transmit funds by way of a wire transfer, automated clearinghouse or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim will send the CVC, often from a wallet hosted at the exchange, to the perpetrator’s designated account or CVC address. The perpetrator will then attempt to launder the funds through various means, including using mixers and tumblers to convert CVC funds into other CVCs, smurfing transactions across many accounts and exchanges and/or moving the CVC to foreign-located exchanges and peer-to-peer (“P2P”) exchangers in jurisdictions with weak anti-money laundering and countering financing of terrorism controls.
The advisory cautions that digital forensics, incident response and cyber insurance companies may be engaged in money transmission by facilitating ransomware payments and therefore may be required to register with FinCEN as MSBs and comply with anti-money laundering requirements, including implementing procedures to identify potentially criminal activities and file SARs. While the advisory does not explicitly address state licensing of money transmitters, it is a violation of federal anti-money laundering requirements for a person to fail to comply with applicable state money transmitter licensing requirements.14 In many circumstances, activities that trigger FinCEN registration requirements also will trigger state licensure requirements, and, furthermore, banks and other depository financial institutions consider a company’s registration or licensing status when assessing risks associated with establishing or continuing a banking relationship or providing specific banking services.
The advisory identifies 10 red flags that FinCEN has associated with “ransomware-related illicit activity.” These are:
- Suspicious enterprise IT activity occurs in financial institution “system log files, network traffic, or file information” that has been associated with ransomware attackers or schemes.
- A customer is notified that a specific payment “is in response to a ransomware incident.”
- A customer’s or recipient’s cryptocurrency address appears on a public forum or in government/commercial analysis that links it to ransomware activity.
- A major transaction occurs between a large company (especially one in a high cybersecurity risk sector) and a cybersecurity incident response firm or cyber insurance provider (especially if the entity is “known to facilitate ransom payments”).
- A cybersecurity incident response firm or cyber insurance provider receives funds from a company and shortly after sends those funds to a cryptocurrency exchange.
- A customer appears unfamiliar with cryptocurrency but subsequently makes or asks questions about a significant or rush purchase of cryptocurrency.
- A cybersecurity incident response firm or insurer without a track record of cryptocurrency transactions makes a significant transfer.
- A customer not registered with FinCEN as a money transmitter conducts “large numbers of offsetting transactions between various” cryptocurrencies.
- A customer uses a cryptocurrency exchange or foreign money services business in a country/jurisdiction known for lax anti-money laundering and countering financing of terrorism regulations.
- A customer engages in multiple rapid transfers among multiple cryptocurrencies, including anonymity-enhanced cryptocurrencies, in a possible attempt to obfuscate a transaction.
The advisory describes a financial institution’s regulatory and information-sharing obligations with respect to ransomware. The primary obligation is that a financial institution must implement procedures to identify payments or transaction patterns potentially associated with ransomware and to file a related SAR. In the context of ransomware-related transactions, potentially suspicious activity includes attempted and successful “transactions, including payments made by financial institutions themselves, related to criminal activity like extortion and unauthorized electronic intrusions that damage, disable, or otherwise affect critical systems.”15
The advisory also provides specific guidance on the content of SARs relating to cyber events by encouraging institutions to include technical indicators such as “relevant email addresses, IP addresses with their respective timestamps, login information with location and timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications.”16
With respect to information sharing, the advisory notes that, when requested, by FinCEN or an appropriate law enforcement or supervisory agency, financial institutions are required to provide all documentation supporting the filing of a SAR. Significantly, the advisory instructs that when requested to provide supporting documentation, financial institutions should take special care to verify that a requestor of information is, in fact, a representative of FinCEN or an appropriate law enforcement or supervisory agency. A financial institution should incorporate procedures for such verification into its anti-money laundering compliance program. These procedures may include, for example, independent employment verification with the requestor’s field office or face-to-face review of the requestor’s credentials.
Ransomware attacks are an increasing threat, particularly during the COVID-19 pandemic.17 While not creating new legal requirements, the two advisories from OFAC and FinCEN clearly communicate each agency’s expectations with respect to how financial institutions and others should approach ransomware situations and the risks associated with processing ransomware payments.
Accordingly, all companies should consult counsel and consider (preferably in advance) how they would respond to a ransomware demand, especially one where there is no or limited information to suggest the presence or absence of a sanctions nexus. Being the victim of a cyber attack or a being a potential facilitator of payments to potential criminal actors is not a comfortable position to contemplate; however, having a response plan can facilitate better decision making during a crisis.
Additionally, based on this guidance, digital forensics, incident response and cyber insurance companies should evaluate whether they engage in money transmission and thus should be registered with FinCEN as MSBs, with the attendant obligations to adopt anti-money laundering compliance procedures, and licensed with one or more state regulators as money transmitters. MSBs and other financial institutions should evaluate their risk assessments and determine whether their transaction monitoring and investigation protocols are appropriately aligned with their exposure to the potential facilitation of ransomware payments.
1 OFAC, Ransomware Advisory (Oct. 1, 2020), https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001.
2 FinCEN, FIN-2020-A006 (Oct. 1, 2020), https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2020-a006.
4 FinCEN, Advisory at 4. See also Patrick Upatham and Jim Treinen, Amid COVID-19, Global Orgs See a 148% Spike in Ransomware Attacks: Finance Industry Heavily Targeted, Carbon Black (Apr. 15, 2020); Oliver Ralph, Ransom Attackers Set Sights on Financial Sector “Big Game,” Financial Times (Mar. 23, 2020).
5 Some companies that do not consider themselves financial institutions, such as digital forensics and incident response firms, may be considered financial institutions by facilitating ransomware payments.
7 The OFAC advisory notes that it is not a comprehensive statement of requirements under US law and emphasizes that it does not have the force of law. While it does not contain a similar statement, the same is true of the FinCEN advisory. See also Press Release, Associate Attorney General Brand Announces End To Use of Civil Enforcement Authority to Enforce Agency Guidance Documents (Jan. 25, 2018) (reiterating that agency guidance does not have the force of law); Press Release, Interagency Statement Clarifying the Role of Supervisory Guidance (Sept. 11, 2018) (indicating that banking regulators will not cite an institution for a violation of agency guidance).
13 E.g., Remarks of Under Secretary David Cohen at Chatham House on “Kidnapping for Ransom: The Growing Terrorist Financing Challenge” (Oct. 5, 2012) (“[a]s a matter of long-standing policy, both the U.S. and UK governments do not pay ransoms or make other concessions to kidnappers”).