On October 1, the Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments announcing that companies that “facilitate” ransom payments on behalf of ransomware victims may be subject to steep civil money penalties.  This could include intermediaries who negotiate on behalf of victims, cyber insurance firms, and even financial institutions that process the transaction. 

Federal law prohibits U.S. persons from engaging in transactions, either directly or indirectly, with certain persons, groups, or organizations owned or controlled by prohibited foreign governments, such as North Korea, or organizations such as terrorist groups.  These persons, groups, or organizations are identified by the Treasury Department as “Specially Designated Nationals,” or “SDN,” and are listed on the Department’s “Specially Designated Nationals and Blocked List.”  SDN’s are believed to have been behind several large-scale ransomware attacks in recent years, including “WannaCry 2.0” and “SamSam.”   

Although the Department guidance expressly only applies to “facilitators” of ransom payments, the reasoning behind the guidance seems to be equally applicable to ransomware victims who make direct contact with the cybercriminal and pay the ransom directly.  Because payments to SDN’s are subject to strict liability, and therefore it is irrelevant whether the ransom recipient is known to be on the “Blocked List,” both ransomware victims and those who assist them in paying ransom now have an additional factor to consider in deciding whether to pay a ransom.   

The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breach and cybersecurity matters, including regulatory obligations and litigation arising therefrom.  If you need assistance with such a matter, please contact us today.