OFAC Guidance on Ransomware Payments Is Too 'Vague,' FBI Says
The Office of Foreign Assets Control should clarify its rules surrounding sanctioned ransomware groups, which are vague and are leading to industry confusion, a senior FBI official said this week. Bryan Vorndran, assistant director of the FBI’s Cyber Division, said the FBI has specifically urged OFAC to change its procedures around ransom payments and incident reporting for victims.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“The guidance from Treasury on sanction payments is opaque. It is not clear. We have gone to Treasury and asked them to clear that up,” Vorndran said during the International Conference on Cyber Security in New York City on July 20, according to a report from The Record, a cybersecurity news publication. “They are comfortable with the language as is.”
The report said victims of cyberattacks are sometimes confused over which ransomware groups are subject to sanctions, partly because “so many have unknown or undisclosed ties to entities” in heavily sanctioned regions, including Russia, Iran and North Korea. Vorndran said companies can always ask the FBI about a particular group so they can check if that group is sanctioned. “Absolutely, we are willing to do that service and we are happy to do that,” he told the conference, according to the report. “That should allow you to be in a good position, should you unwittingly and unknowingly pay a sanctioned entity.”
A Treasury spokesperson declined to comment. The agency has issued guidance on the risks associated with facilitating ransomware payments (see 2109210031 and 2010010018).