In the wake of increased ransomware attacks over the course of the last several months, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has updated a guidance it released last year on potential sanction risks if facilitating ransomware payments. As indicated in the original guidance, OFAC has designated several threat actors as “malicious cyber attackers,” including the developers of Cryptolocker, SamSam, WannaCry, and Dridex. OFAC has indicated that it will impose sanctions on those who financially (or otherwise support) these actors, including by making ransomware payments to them. Sanctions can range from non-public (for example No Action Letters or Cautionary Letters) to public actions (including for example payment of civil monetary penalties).

In this new guidance, OFAC has indicated what factors would be “more likely” result in the matter closing with a non-public action. They are improving cyber security practices prior to an incident and working closely with law enforcement in the event of an incident. Improvement measures mentioned by the guidance include keeping backups (offline), having an incident response plan, conducting training, updating virus software, using authentication protocols, and otherwise following the Cybersecurity and Infrastructure Security Agency’s 2020 guide on ransomware. In other words, a risk-based compliance program to mitigate potential exposure if a company finds itself in a position of potential exposure to sanctions’ violations. This guidance came on the heels of OFAC’s sanctions of a cryptocurrency for its involvement in payment to ransomware threat actors (see article on our sister blog).

Putting It Into Practice: Is your organization prepared for a potential cyber incident? The cyber security practices outlined in OFAC’s guide can not only help a company be prepared for a potential incident, but also put it in a better posture in the event a ransomware demand is made.