OFAC Issues Sanctions Guidance for Ransomware Payments
The Office of Foreign Assets Control issued guidance Oct. 1 on the sanctions risks of facilitating ransomware payments. The guidance urged companies to refrain from facilitating payments “on behalf of victims” of cyberattacks because they encourage future payment demands and may risk sanctions violations.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
OFAC said demand for ransomware payments has increased during the COVID-19 pandemic as U.S. people and companies rely more heavily on online systems. OFAC has sanctioned a range of cybercriminal organizations responsible for cyberattacks, including designating in December the Russia-based Evil Corp (see 1912050025). Such designations increase the likelihood that payments to these groups could lead to sanctions violations, OFAC said. The agency stressed that sanctions compliance programs should “account for the risk that a ransomware payment may involve a [Specially Designated National] or blocked person.”
OFAC said it will review license applications involving ransomware payments case by case with a presumption of denial. Victims of ransomware attacks should contact OFAC or other U.S. enforcement agencies, OFAC said, noting self-reporting could be a “significant mitigating factor” if the “situation is later determined to have a sanctions nexus.”