On Tuesday, the US Treasury Department’s Office of Foreign Asset Control (OFAC) warned all ransomware victims in an updated warning that if they succumb to ransomware requirements and pay foreign actors subject to US sanctions, the victims receive additional financial benefits Risks threaten sneaky. OFAC stated that imposing sanctions is an appropriate step to disrupt the economic infrastructure of the ransomware threat, which has been growing over the past year and targeting countless businesses and critical infrastructures. While the recommendation does not change the law, it does signal increased enforcement and the intent to alert organizations to an even more sophisticated risk assessment if a ransomware attack occurs. It also highlights the importance of an updated Incident Response Plan and the need for ransomware attack victims to deploy the correct Incident Response Team prior to each attack to ensure compliance with the law when responding to an attack of this nature.
To reaffirm the federal government’s strong discouragement from paying ransom after a cyber attack, the latest OFAC warning also warns organizations of the heavy civil sanctions associated with ransom payments to a person or group on the Specially Designated Nationals and Blocked Persons list ( “Specially Designated Nationals and Blocked Persons List”) can be linked (“SDN list”). According to the guidelines, OFAC can legislate civil penalties of up to 20 million.
In addition, in a major change from previous guidelines, OFAC now “strongly” encourages all victims of ransomware attacks to report incidents to CISA and the FBI or US intelligence. In this way, harmed companies can receive significant attenuations from OFAC in determining an appropriate enforcement action. Although no mandatory ransomware notification rule is created, OFAC’s latest recommendation creates a strong incentive for organizations involved in a ransomware attack to notify law enforcement agencies, even if there is no known sanction nexus to enforce the limit in the event of an attack take advantage of accidental violation.
The OFAC advice also suggests that the introduction and improvement of cybersecurity practices is seen as a major mitigating factor for enforcement purposes. In addition to developing incident response plans, such steps could include maintaining offline backups of data, setting up cybersecurity training, regularly updating anti-virus and anti-malware software, and using authentication protocols. CISA recently released a Cyber Security Evaluation Tool to assess different levels of ransomware threat readiness and to be helpful to all organizations regardless of their cybersecurity maturity level.
While it is not new that the US government is strongly advising against ransomware payments, the latest recommendation made an important point clear: OFAC is focused on disrupting criminals’ ability to benefit from attacks anonymously and is ready , Victims who fail to notify law enforcement and pay the ransomware attackers. This latest guidance from OFAC creates even more incentives for private companies to implement robust compliance and cybersecurity programs to address the need to identify hackers and to work closely with federal law enforcement agencies to mitigate the effects of a ransomware attack.