OFAC Issues Sanctions Guidance for Ransomware Payments
The Office of Foreign Assets Control issued guidance Oct. 1 on the sanctions risks of facilitating ransomware payments. The guidance urged companies to refrain from facilitating payments “on behalf of victims” of cyberattacks because they encourage future payment demands and may risk sanctions violations.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
OFAC said demand for ransomware payments has increased during the COVID-19 pandemic as U.S. people and companies rely more heavily on online systems. OFAC has sanctioned a range of cybercriminal organizations responsible for cyberattacks, including designating in December the Russia-based Evil Corp (see 1912050025). Such designations increase the likelihood that payments to these groups could lead to sanctions violations, OFAC said. The agency stressed that sanctions compliance programs should “account for the risk that a ransomware payment may involve a [Specially Designated National] or blocked person.”
OFAC said it will review license applications involving ransomware payments case by case with a presumption of denial. Victims of ransomware attacks should contact OFAC or other U.S. enforcement agencies, OFAC said, noting self-reporting could be a “significant mitigating factor” if the “situation is later determined to have a sanctions nexus.”