In February 2022, Executive Order 14024 highlighted that Russia’s invasion of Ukraine threatened not only Ukraine but also the national security and foreign policy of the United States. Pursuant to this executive order, and in the face of national security concerns, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has instituted extensive sanctions, including both economic and trade sanctions. Also, in response to the national security concerns, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Shields Up notice, urging companies to bolster their cybersecurity to protect themselves against the threat of a cyberattack.
As the conflict between Russia and Ukraine continues, the threat of a cyberattack, specifically ransomware and NotPetya-style attacks, remains top of mind. However, as entities continue to bolster their cybersecurity and protect themselves against these attacks, they should be cognizant of the implications that OFAC sanctions may have in connection with such an attack.
All U.S. persons must comply with the sanctions against Russia. U.S. persons are defined as U.S. citizens and permanent residents regardless of location, as well as all persons and entities who are in the U.S. and all entities incorporated in the U.S. and any of their foreign branches.
This analysis becomes complicated during ransomware attacks. When an entity is the victim of a ransomware attack, they typically have to make a decision about whether to pay the attacker a ransom in order to retrieve their data or to get a key to unencrypt their data. Ransom payments — including payments with cryptocurrency or payments facilitated through third parties — to sanctioned persons or entities are in violation of the OFAC regulations. In light of the Russia-Ukraine conflict, the number of sanctioned individuals and entities has increased dramatically, making it more difficult to ensure that an entity requesting a ransom payment is not subject to sanctions.
Making a ransomware payment where it is known that the ransomware attacker originated from a person or group on the OFAC sanctions list is in violation of the OFAC regulations and subjects the payor to civil penalties. In addition, where the person/entity making the payment knew (or had reason to know) that the attacker was on a sanctions list, they can also be subject to criminal investigation and/or prosecution.
Even when there is no reason to suspect the attacker originated from a person or group on the OFAC sanctions list, ransomware payments still carry significant risk. OFAC can impose civil penalties for sanctions violations based on strict liability, meaning penalties can be imposed even when the party who made the ransomware payment did not know and had no reason to know that it made the payment to an attacker on the OFAC sanctions list.
As a further attempt to discourage ransom payments to sanctioned entities, the Financial Crimes Enforcement Network released an alert to all financial institutions “to be vigilant against efforts to evade the expansive sanctions and other U.S.-imposed restrictions implemented in connection with the Russian Federation’s further invasion of Ukraine.”
The imposition of sanctions by the US government has evolved greatly over the last year or so, not just due to the increased risk of nefarious cyber-attacks, but in large part due to the Russian-Ukrainian conflict. It is more important than ever, before considering paying a ransom, to ensure that you are in compliance with OFAC rules and requirements, and that the payment of ransom does not cause the cyber victim more harm than good.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.