Companies that facilitate ransomware payments to cyber actors on behalf of victims ‘not only encourage future ransomware payment demands but also may risk violating OFAC regulations,’ says the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).
In its new advisory, OFAC describes the sanctions risks associated with ransomware payments and provides information for contacting relevant U.S. government agencies, including OFAC, ‘if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus’.
OFAC says it encourages financial institutions and other companies to introduce a risk-based compliance programme to mitigate exposure to sanctions-related violations.
This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments.
In particular, OFAC highlights that the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve ‘a specially designated national (SDN) or blocked person, or a comprehensively embargoed jurisdiction’.
The OFAC advisory can be accessed here