On October 1, 2020, the US Department of the Treasury (“Treasury”) issued a pair of advisories to alert companies about risks associated with ransomware scams and attacks. Ransomware is malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. The advisories suggest that such attacks have become increasingly common during the COVID-19 pandemic as cyber actors target online systems US parties rely on to continue conducting business.
The first advisory from the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) provides general information on the role of financial intermediaries in the processing of ransomware payments, and a list of ransomware-related financial red flags, including instances in which organizations in high-risk sectors (e.g., government, financial, educational, healthcare) engage in transactions with companies known to facilitate ransomware payments. The advisory also reminds financial institutions of circumstances in which they may be required to file “suspicious activity reports” pursuant to the Bank Secrecy Act (“BSA”) in connection with ransomware payments conducted by, at, or through the financial institution, and of a safe harbor authorized by the USA Patriot Act on sharing information among financial institutions to identify, report, and prevent ransomware schemes. Finally, it also calls attention to the role digital forensics and incident response, cyber insurance companies, and money services businesses play in facilitating ransomware payments to cybercriminals, often by exchanging customers’ fiat funds for virtual currencies and then transferring those currencies to criminal-controlled accounts, and highlights related BSA obligations and sanctions risks.
The second advisory from the Treasury’s Office of Foreign Assets Control (“OFAC”) highlights the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities. OFAC notes that demand for ransomware payments has increased during the pandemic and illustrates situations in which a ransomware payment may have a sanctions nexus, including if the payment is made to a sanctioned person or involves a sanctioned jurisdiction. In addition, OFAC states that it will consider a company’s voluntary timely reporting of ransomware attacks a significant mitigating factor in any potential enforcement action if the activity the company engaged in is later determined to have a sanctions nexus. Further, OFAC will review license applications involving ransomware payment on a case-by-case basis with a presumption of denial. For more information about the OFAC advisory, please see our colleagues’ blog post here. Taken together, the advisories may discourage depository institutions and money services businesses, including cryptocurrency exchanges, from participating in transactions involving ransomware payments. This may be especially true when the perpetrator demanding a ransom payment is anonymous or pseudonymous, which may make it difficult to evaluate whether the perpetrator may be a sanctioned person or located in a sanctioned jurisdiction.