OFAC Guidance on Ransomware Payments Is Too 'Vague,' FBI Says
The Office of Foreign Assets Control should clarify its rules surrounding sanctioned ransomware groups, which are vague and are leading to industry confusion, a senior FBI official said this week. Bryan Vorndran, assistant director of the FBI’s Cyber Division, said the FBI has specifically urged OFAC to change its procedures around ransom payments and incident reporting for victims.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“The guidance from Treasury on sanction payments is opaque. It is not clear. We have gone to Treasury and asked them to clear that up,” Vorndran said during the International Conference on Cyber Security in New York City on July 20, according to a report from The Record, a cybersecurity news publication. “They are comfortable with the language as is.”
The report said victims of cyberattacks are sometimes confused over which ransomware groups are subject to sanctions, partly because “so many have unknown or undisclosed ties to entities” in heavily sanctioned regions, including Russia, Iran and North Korea. Vorndran said companies can always ask the FBI about a particular group so they can check if that group is sanctioned. “Absolutely, we are willing to do that service and we are happy to do that,” he told the conference, according to the report. “That should allow you to be in a good position, should you unwittingly and unknowingly pay a sanctioned entity.”
A Treasury spokesperson declined to comment. The agency has issued guidance on the risks associated with facilitating ransomware payments (see 2109210031 and 2010010018).