OFAC September 2021 Advisory: Illusory Solutions to Soften the Enforcement Threat?
On September 21, 2021, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an updated advisory on potential sanctions risks for facilitating ransomware payments. Historically, OFAC has identified malicious cyber threat actors under its sanctions programs and imposed sanctions on developers and purveyors of malicious cyber activity, on individuals who provide material support for malicious cyber activity, and on threat actor groups who engage in malicious cyber activities. The sanctions have been authorized by the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). Their purpose is to disrupt funding for certain malicious cyber activities and limit activities that may be adverse to the national security and foreign policy objectives of the United States.
In current practice, on a daily basis, professional service providers respond to ransomware attacks and assist victim businesses to become operational after malicious actors have locked down their networks and stolen sensitive data. Their data is often inaccessible without payment of an extortionate ransom demand, and disclosure of their sensitive data is at risk unless an extortionate fee is paid. These malicious activities threaten to destroy the business models and livelihoods of legitimate, hard working business owners and employees. The professionals who assist these victim businesses include incident response law firms and providers of digital forensics, network restoration, and ransom negotiation and payment services. The victim businesses with whom they work often feel compelled to make an extortionate ransom payment to save their businesses and the livelihoods of their employees. These payments are the subject of the September 21, 2021 OFAC advisory.
The OFAC advisory reiterates the U.S. government position discouraging payment of cyber ransom demands. It outlines various civil penalties that may be levied for violations of sanctions laws and regulations administered by OFAC, including those based on strict liability – when a person does not know they may be in violation of sanctions laws or regulations. It then encourages professional services firms that assist businesses in responding to malicious cyber attacks to develop OFAC compliance programs. It outlines the OFAC Enforcement Guidelines, which suggest that the existence, nature, and adequacy of a sanctions compliance program may mitigate exposure to potential sanctions-related violations. It also reminds firms that facilitate ransomware payments on behalf of victim businesses to consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.
Unfortunately, although the OFAC advisory is long on “reminders” of potential liability to those who assist victims of malicious cyber attacks, it is short on effective assistance to them. It suggests that reliance upon certain government prevention guides may be deemed a significant mitigating factor in OFAC enforcement responses. Unfortunately, those resources contain certain illusory prevention measures such as keeping antivirus signatures up to date. While this is certainly a basic aspect of information security, these measures fail to recognize that customized malware associated with ransomware attacks evades the protection of antivirus products every day. The OFAC advisory also suggests that by contacting government agencies, victim businesses may gain access to their data through “alternative decryption tools,” and that they may be able to recover portions of ransom payments. These outcomes are not only unlikely for most businesses, but they may produce dangerous delays in the recovery process. The message is clear, however, that the Department of Treasury discourages businesses from facilitating ransom payments for victims of malicious cyber attacks.
Malicious ransomware attacks continue to have a devastating effect on victim businesses. Although the OFAC advisory is not necessarily intended to provide assistance to those businesses, it does contain certain effective prevention measures such as maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, and employing authentication protocols. It also appropriately recommends cooperation with law enforcement, including the reporting of incidents to the FBI Internet Crime Complaint Center, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Secret Service, and/or the U.S. Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). By reporting to one or more of these entities and providing certain indicators of compromise from digital forensics investigations, victim businesses can assist the FBI, and perhaps other agencies, to aggregate the information with other investigations, and increase the likelihood of holding the malicious perpetrators accountable. Anything that can further that purpose is worth the effort.