Jul 22, 2021

Facilitating Ransomware Payments Can Result in Sanctions Violations and OFAC Penalties

(July 22, 2021) – Cybercrime has made its way into the mainstream with more businesses, organizations, and individuals falling victim to this widespread threat. Cybercriminals, who are often backed by nefarious groups, have gone international and can now effectuate an attack from the other side of the globe. It seems no industry sector is off limits to these attacks, with healthcare organizations, food producers, and even large–scale infrastructure falling victim. It is important for businesses to understand the types of threats targeting their industry, as well the risks posed in responding to these threats.

Recently Targeted Industries

Healthcare organizations have been routine targets for cybercriminals, particularly during the COVID-19 pandemic. Throughout 2020, it is estimated that more than 600 hospitals, clinics, and healthcare organizations were victimized by ransomware attacks. Indeed, in October 2020, several U.S. hospitals were targeted by ransomware attacks leading to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) issuing a warning advisory stating that multiple agencies, including CISA, FBI, and HHS, “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Food suppliers have also fallen victim recently. In late May 2021, the meat supplier JBS USA was the victim of a cyberattack leading to the complete shutdown of its U.S. beef processing operation. JBS USA ultimately made the decision to pay the ransom, $11 million, despite the majority of its operations having been brought back online prior to the payment. The JBS USA attack has led many in the food supply industry to take a hard look at the industry’s supply chain infrastructure to prevent another similar attack.

Large–scale infrastructure projects and structures are also high-value targets for nefarious actors. The most well-known example is the Colonial Pipeline attack. That attack transcended the virtual world and entered the physical when the malware disrupted the Colonial Pipeline’s gas supply, thereby causing widespread public panic regarding gas supply and pricing. The Colonial Pipeline’s management ultimately paid the ransomware demand, a total of $4.4 million in Bitcoin.

The Office of Foreign Assets Control

With an increasing number of ransomware attacks targeting U.S. businesses, an agency within the U.S. Department of Treasury, the Office of Foreign Assets Control (“OFAC”) is taking a stronger stance against not only the attackers themselves, but also those who “materially support” such activities. OFAC administers and enforces U.S. economic and trade sanctions programs, through its regulations. OFAC requires all U.S. persons, including U.S. non-profit and for-profit entities, to adhere to its applicable regulations, regardless of where the U.S. person is located. OFAC sanctions extend beyond suspected or known terrorists to encompass narcotraffickers, individuals involved in human rights abuses (e.g., Belarus government officials and Burma (Myanmar) military officers), and, in some instances, even extend to entire countries in the form of comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, and Iran,). OFAC maintains a list known as the “Specially Designated Nationals and Blocked Persons List” (“SDN List”), which contains approximately 6,300 names connected with sanctions targets which have their assets blocked and U.S. persons are generally prohibited from dealing with these parties, unless OFAC authorizes the transaction with the SDN parties through a General License or Specific License.

In addition to OFAC’s other sanctions programs, OFAC also designates cyber actors under its cyber-related sanctions program. This list includes perpetrators of ransomware attacks and those individuals or organizations that facilitate ransomware attacks and transactions.

OFAC’s October 2020 Advisory

OFAC has taken steps to deter cyber-attack ransomware payments by issuing guidance warning companies and individuals who make or facilitate ransomware payments to bad actors could be penalized for violating OFAC regulations. In October 2020, OFAC issued an Advisory which states, “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” In other words, according to the Advisory, there is risk associated with victim businesses quickly paying ransom to resolve ransomware attacks without a more complete understanding of to whom they are paying the ransom, which could include bad actors on the SDN List.

Indeed, during testimony before the U.S. Senate, Joseph Blout— the Colonial Pipeline’s Present and CEO—was asked by Senator Rob Portman (Ohio) several questions about what the company did to ensure it was complying with OFAC regulations before making the ransom payment, including whether it was in contact with OFAC before making the decision to pay the ransom. Senator Portman stated that the hearing was about looking forward for preventative measures that could be put in place to ensure sanctioned entities are not receiving payments, “which would be a violation of law.” The potential penalties OFAC could impose are significant. As of March 17, 2021, the maximum civil monetary penalty (“CMP”) for most OFAC violations—charged under the International Emergency Economic Powers Act (“IEPPA”)—is $311,562, adjusted for inflation pursuant to the Federal Civil Penalties Inflation Adjustment Act of 2015.

OFAC’s October 2020 Advisory does make clear, however, that OFAC will consider a “self–initiated, timely, and complete report of [the] ransomware attack to law enforcement” and “fully and timely cooperation with law enforcement both during and after a ransomware attack” to be significant mitigating factors in determining the appropriate enforcement action if it is later determined that the payment had a “sanctions nexus.” But despite the potential for mitigation, businesses in a catch–22 of whether to pay the ransom demand or have their business operations halted—potentially indefinitely—must be informed of and extremely sensitive to the risks of making ransom payments to anonymous parties operating outside the U.S.

Conclusion

The Government is adapting and focusing its enforcement methods to curtail ransomware attacks. While prevention is the best tool to avoid having to make a difficult decision on whether to make a ransom payment—it is important to be ready, be informed, and know who to turn to if your organization or business becomes a victim of a ransomware attack.

The attorneys at Flannery | Georgalis have the experience necessary to help you navigate the complexities of OFAC sanctions, licenses, voluntary self-disclosures, responding to investigations and penalty proceedings and to liaise on your behalf with government agencies and law enforcement.

Should you have any questions, please contact:

JON P. YORMICK – jyormick@flannerygeorgalis.com• M: 216.269.5138, or

EMILY MIKES – emikes@flannerygeorgalis.com• M: 216.650.8655, or

The Flannery | Georgalis attorney with whom you have a relationship.