On September 21, 2021, the Department of Treasury took two significant steps in further articulating its position on the payment of ransoms in cyber extortion matters.
First, the Office of Foreign Assets Control (OFAC) added SUEX – a virtual currency exchange – to its Specially Designated Nationals (SDN) list as a result of their analysis that as much as 40% of its known transaction history has been associated with illicit actors.
Second, it issued its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Updated Advisory). Notable content from the Updated Advisory includes:
• Payment is discouraged. The U.S. Government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.
• Law enforcement and regulatory body reporting, and cooperation with law enforcement, remains an essential step in the ransomware incident response process. In the case of a ransomware payment with a potential sanctions nexus, OFAC will consider as a significant mitigating factor, among other things, an entity’s complete and self-initiated report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), “as soon as possible after discovery of an attack.” OFAC encourages victims to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center or their local U.S. Secret Service office as soon as possible. Victims should report ransomware attacks and payments to the OCCIP and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to ransomware payment. OFAC will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack – e.g., providing all relevant information such as technical details, ransom payment demand and ransom payment instructions as soon as possible – to be a significant mitigating factor if an enforcement action is pursued.
• Preventative protection and recovery efforts matter. Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in CISA’s September 2020 Ransomware Guide, will be considered a significant mitigating factor in any OFAC enforcement response. The Updated Advisory notes these steps could include maintaining offline backups of data; developing incident response plans; instituting cybersecurity training; regularly updating antivirus and anti-malware software; and employing authentication protocols – all important hygiene steps.
• License applications remain a possibility. While applications will continue to be reviewed on a case-by-case basis, the presumption of denial articulated in the October 2020 Advisory remains.
• We have more, but still limited, visibility into OFAC enforcement actions. While each potential enforcement matter depends on specific facts and circumstances, OFAC will be more likely to resolve apparent violations involving ransomware attacks with a non-public response, such as a No Action Letter or a Cautionary Letter, when an organization timely reports the event to respective law enforcement and regulatory agencies, cooperates with investigations resulting from the event or reporting and takes steps to better protect against a ransomware infection impacting the victim organization’s systems.
Organizations of all sizes and from all industry sectors face the risk of a ransomware event impacting the security of their systems and data. Mullen Coughlin’s team of 90+ attorneys possesses unmatched experience in handling over 20,000 data privacy events, including over 1,000 ransomware events in 2020 and over 800 ransomware events in 2021 (to date).
For more information on the Updated Advisory, as well as ransomware preparedness services and incident response services, please contact John F. Mullen (; 267.930.4791), Jennifer A. Coughlin (; 267.930.4774) or Carolyn Purwin Ryan (; 267.930.6836).