FinCEN and OFAC warn of dangers of ransomware

James Treanor

Cadwalader Wickersham & Taft

5 October 2020

FinCEN warned of the part that financial intermediaries played in facilitating ransomware payments and reminded financial institutions that ransomware payments could require them to send suspicious activity reports to the Internal Revenue Service. OFAC, for its part, emphasised the sanctions-related risks that companies face when they take part in ransomware payments to cybermen who may be sanctioned or have something to do with sanctions.

FinCEN listed some indicators of illicit ransomware-related activity, hoping that financial institutions would then go about "detecting, preventing, and reporting suspicious transactions associated with ransomware attacks". These include:

the appearance of a customer's crypto-currency address on open sources linked to ransomware strains;
receipt of funds from a customer-company and the subsequent transmission of equivalent amounts to a crypto-exchange;
customers with limited knowledge of crypto-currencies who purchase such a currency in a large amount or through rush requests;
digital forensics and incident response or cyber-insurance companies that send crypto-transfers; and
unidentified customers to a crypto exchanger who use liquidity provided by the exchange to engage in large numbers of offsetting transactions.

OFAC highlighted designations of numerous malicious cyber-actors and stressed that facilitating a ransomware payment to a sanctioned party on behalf of a victim may break OFAC's sanction-related regulations. OFAC wants to review license applications related to ransomware payments on a case-by-case basis with a presumption of denial.

OFAC also encouraged firms to set up risk-based compliance programmes to stop themselves from breaking sanctions - including violations related to ransomware payments. As explained in OFAC's Economic Sanctions Enforcement Guidelines, the maintenance of an effective compliance programme is a factor that the agency may consider when deciding whether and how to punish firms for non-compliance.

Similarly, OFAC said that it would consider a company's reporting of a ransomware attack to the authorities, as well as subsequent co-operation with investigators, as significant mitigating factors when determining the appropriate enforcement response.

The upshot of these bulletins or 'advisories' is that a firm that is the victim of a significant ransomware attack should not expect an OFAC licence to pay off their data’s captors. It can, instead, expect OFAC to take a hard look at any ransom payments that it might make to a sanctioned party - and even a non-sanctioned parties with a sufficient “sanctions nexus.” At best, the victimised firm may hope for a 'pass' from OFAC if it report its injury to law enforcers and co-operates with the ensuing investigation in a timely, voluntary and complete manner. A victimised firm - already finding itself in a very hard place - will undoubtedly feel that the government has rolled a large rock in its direction if it does not do this.

* James Treanor can be reached on +1 202 862 2330 or at james.treanor@cwt.com