On October 1, 2020, the US Department of the Treasury (“Treasury”) issued a pair of advisories to alert companies about risks associated with ransomware scams and attacks. Ransomware is malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. The advisories suggest that such attacks have become increasingly common during the COVID-19 pandemic as cyber actors target online systems US parties rely on to continue conducting business.

The first advisory from the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) provides general information on the role of financial intermediaries in the processing of ransomware payments, and a list of ransomware-related financial red flags, including instances in which organizations in high-risk sectors (e.g., government, financial, educational, healthcare) engage in transactions with companies known to facilitate ransomware payments. The advisory also reminds financial institutions of circumstances in which they may be required to file “suspicious activity reports” pursuant to the Bank Secrecy Act (“BSA”) in connection with ransomware payments conducted by, at, or through the financial institution, and of a safe harbor authorized by the USA Patriot Act on sharing information among financial institutions to identify, report, and prevent ransomware schemes. Finally, it also calls attention to the role digital forensics and incident response, cyber insurance companies, and money services businesses play in facilitating ransomware payments to cybercriminals, often by exchanging customers’ fiat funds for virtual currencies and then transferring those currencies to criminal-controlled accounts, and highlights related BSA obligations and sanctions risks.

The second advisory from the Treasury’s Office of Foreign Assets Control (“OFAC”) highlights the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities. OFAC notes that demand for ransomware payments has increased during the pandemic and illustrates situations in which a ransomware payment may have a sanctions nexus, including if the payment is made to a sanctioned person or involves a sanctioned jurisdiction. In addition, OFAC states that it will consider a company’s voluntary timely reporting of ransomware attacks a significant mitigating factor in any potential enforcement action if the activity the company engaged in is later determined to have a sanctions nexus. Further, OFAC will review license applications involving ransomware payment on a case-by-case basis with a presumption of denial. For more information about the OFAC advisory, please see our colleagues’ blog post here. Taken together, the advisories may discourage depository institutions and money services businesses, including cryptocurrency exchanges, from participating in transactions involving ransomware payments. This may be especially true when the perpetrator demanding a ransom payment is anonymous or pseudonymous, which may make it difficult to evaluate whether the perpetrator may be a sanctioned person or located in a sanctioned jurisdiction.

Author

Ms. Lis has extensive experience advising companies on US laws relating to exports and reexports of commercial goods and technology, defense trade controls and trade sanctions — including licensing, regulatory interpretations, compliance programs and enforcement matters. She also has advised clients on national security reviews of foreign investment administered by the Committee on Foreign Investment in the United States (CFIUS), including CFIUS-related due diligence, risk assessment, and representation before the CFIUS agencies.

Author

Eunkyung advices clients on various regulatory compliance and trade issues, concentrating on the US export controls such as the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR), economic and trade sanctions, US customs and import laws, the US Foreign Corrupt Practices Act (FCPA), and foreign anti-bribery laws.

Author

Daniel Andreeff’s practice focuses on US economic and trade sanctions, including those targeting Iran, Russia, Cuba, Syria, and North Korea, export controls, and anti-boycott laws. He represents clients in national security reviews before the Committee on Foreign Investment in the United States (CFIUS), and has experience in federal court litigation and congressional investigations. His pro bono practice includes providing sanctions and export control advice to a global humanitarian NGO. * Admitted in New York only. Practice in the District of Columbia is under the supervision of a member of the District of Columbia Bar.