OFAC’s Ransomware Advisory – Improved Cybersecurity Can Mitigate Sanctions Risk, and Other Takeaways (Part I of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Sarah Q. Smith

This is Part I of a two-part post. For Part II, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (PDF: 252 KB) (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms and other companies facilitating payment—are responsible for ensuring that they do not violate U.S. law and can be subject to an OFAC enforcement action if they do.

OFAC also named SUEX OTC, S.R.O. (“SUEX”) as a malicious cyber actor, making SUEX the first virtual currency exchange to be designated as a sanctioned entity. According to OFAC and other industry intelligence, approximately 40% of SUEX’s transactions involve illicit actors including nearly $13 million in transactions associated with ransomware operators since 2018.

Increased Risks of Inadvertent OFAC Violations. The Advisory largely tracks prior guidance, which we discussed in October 2020. But since then, the risk of inadvertently paying ransom to a sanctioned entity has increased as (1) some sanctioned threat actors have disbanded and reappeared with new names and updated tools, and (2) many non-sanctioned threat actors have been using tools developed by sanctioned threat actors or are otherwise partnering with sanctioned entities in their attacks.

Cybersecurity Compliance Can Mitigate the Risk of OFAC Enforcement. In light of this increased risk, the most significant development in the Advisory is an explicit recognition that having enhanced cybersecurity controls in place prior to an attack can serve as a mitigating factor in a post-attack OFAC enforcement action in the event that a company has inadvertently made a cyber ransom payment to a sanctioned threat actor.

The Advisory encourages companies to implement a risk-based compliance program and adopt steps to reduce the risk of ransomware, including by adopting or improving practices such as those highlighted in the Cybersecurity Infrastructure Security Agency’s (“CISA”) September 2020 Ransomware Guide (PDF: 2.5 MB), which OFAC will consider “a significant mitigating factor in any OFAC enforcement response.” The practices outlined in that Guide include:

  • Maintaining offline, encrypted backups of data and regularly testing these backups;
  • Conducting regular vulnerability scanning to identify and address vulnerabilities;
  • Regularly patching and updating software;
  • Ensuring proper configuration of devices, including that security features are enabled;
  • Employing best practices for remote desktop protocol (“RDP”), disabling or blocking Server Message Block (“SMB”) protocol, and restricting PowerShell usage;
  • Securing domain controllers and Active Directory;
  • Using application directory allowlisting on all assets to ensure that only authorized software can run and blocking all unauthorized software;
  • Employing multi-factor authentication where possible and applying the principle of least privilege to all systems;
  • Implementing logical or physical network segmentation to separate various business units, IT resources and operational technology environments;
  • Retaining and securing network device and local host logs;
  • Implementing a cybersecurity user awareness and training program;
  • Understanding and mitigating the risk posed by third parties or managed service providers; and
  • Creating, maintaining and exercising a basic cyber incident response and communications plan.

Diligence and Cooperation with Law Enforcement Are Additional Mitigation Factors. The Advisory provides that additional mitigation factors include (1) accounting for the risk that a ransomware payment may involve a sanctioned entity, (2) reporting the attack to the appropriate U.S. government agencies and (3) cooperating with those agencies. In particular, the Advisory provides that full and ongoing cooperation with law enforcement, both during and after a ransomware attack (e.g., providing all relevant information such as technical details, the ransom payment demand and ransom payment instructions as soon as possible), will be a significant mitigation factor and will make it more likely that OFAC will resolve apparent violations with a nonpublic response (i.e., a No Action Letter or a Cautionary Letter). The Advisory also notes that OFAC will consider a company’s self-initiated, complete and immediate report of a ransomware attack to law enforcement or other relevant U.S. agencies to be a voluntary self-disclosure, which is significant as voluntary self-disclosures are entitled to a 50% reduction on any potential penalty.

Presumption Against Licenses. The Advisory also confirms prior OFAC guidance that because ransomware payments benefit illicit actors and undermine national security, there is a presumption of denial for license applications in this area.

Takeaways. In light of the Advisory, companies should consider the following steps to prepare for ransomware attacks and limit potential OFAC enforcement actions for inadvertent payments to sanctioned entities:

  • Sanctions and Cybersecurity Compliance Programs. As we have advised previously, OFAC has made clear—independent of ransomware concerns—the importance of sanctions compliance programs and has highlighted five essential components: (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing and (5) training. According to OFAC’s Enforcement Guidelines (PDF: 142 KB), “the existence, nature, and adequacy” of such a program are factors that OFAC may consider when determining an appropriate enforcement action in the event of an apparent violation. Having a very strong cybersecurity compliance program, as outlined in the CISA Ransomware Guide (including testing incident response plans), is now another significant mitigation factor.
  • Prioritize Attribution. As discussed above, identifying the threat actor in a ransomware investigation has become increasingly more difficult. Enhanced forensic tools and increased logging and detection can help companies more quickly identify and analyze ransomware variants and other indicators of compromise, which can be shared with law enforcement and experts to quickly identify the threat actor. The more certainty a company can achieve as to the identity of the attacker, the more confidence it can have in the sanctions risk associated with any payment.
  • Consider External Parties’ Requirements. OFAC’s advisory is a reminder that the victim company is not the only entity associated with a ransom payment that can run afoul of U.S. sanctions laws. Insurance companies, financial institutions and ransom negotiators, among others, also carry this risk. It is therefore important that these entities receive prompt notice of the potential for payment so that their diligence processes do not cause unnecessary delays in a victim entity’s negotiation strategy. Consequently, companies should consider identifying, as part of their incident response planning, all the notifications and sanctions diligence that will be necessary before a payment can be made.
  • Transparency with Law Enforcement. The FBI and other law enforcement agencies may be able to provide critical insight about an attack, including which threat group is associated with certain indicators or artifacts, and whether that group is associated with a sanctioned person or entity. OFAC has repeatedly emphasized the importance of promptly reporting ransomware incidents to law enforcement and providing ongoing cooperation throughout the investigation, and this Advisory again notes that prompt and complete reporting to law enforcement will be considered a voluntary self-disclosure. Companies should therefore consider having the contact information for key law enforcement agencies—including CISA and the local FBI field office—in their incident response plans and consulting with law enforcement before any payment is made.

We will closely follow developments in this area and provide any updates at the Debevoise Data Blog.

Luke Dembosky, Avi Gesser, and Satish Kini are partners, and HJ Brehmer and Sarah Q. Smith are associates, at Debevoise & Plimpton LLP. This post originally appeared on Debevoise’s Data Blog.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.