Many Americans were still celebrating Fourth of July when they learned of another ransomware attack—one more sophisticated and with more sinister purposes than previous attacks. The “biggest ransomware attack on record”¹ was carried out against Kaseya Limited (Kaseya), a Florida-based IT company. A group affiliated with Russian-based Ransomware Evil or “REvil,”² a ransomware-as-a-service operation, claimed responsibility for this attack. The attackers accessed Kaseya’s customer data and demanded a ransom of $70 million—the largest ransomware payment demand thus far. The seriousness of this attack—and what marks an escalation in the modus operandi of these criminal organizations—is that the attack on Kaseya was not just meant to impact its systems but all its clients’ systems as well by the method known as ricocheting. Ricocheting is the infiltration of the network of a major player in the IT supply chain, most commonly seen in cyber-espionage,³ and then using it to push malware to their customers’ systems.

The attack on Kaseya followed another large-scale ransomware attack on the Colonial Pipeline in May, the largest ever cyberattack on the American energy system due to the scale of the operational and economic impact. Colonial Pipeline, the largest petroleum pipeline in the U.S., carries approximately 2.5 million barrels a day of gasoline, diesel, heating oil and jet fuel on its 5,500-mile route from Texas to New Jersey. The company was forced to take some systems offline for several days, causing panic-buying at the fuel pumps, shortages and price spikes in some states. An interesting fact about the attack on Colonial Pipeline is that the company made the ransomware payment of $4.4 million by using 75 bitcoins. The FBI Ransomware and Digital Extortion Task Force traced the payment and recovered 64 of the 75 bitcoins, making this seizure a rare example of ransomware payments being recovered.

Undoubtedly, the COVID-19 pandemic has imposed unprecedented challenges on businesses, precipitating a significant increase in cyberattacks.⁴ Victims of ransomware attacks, which could b businesses large and small, are put in a challenging position as they attempt to maintain day-to-day operations while managing the privacy and confidentiality concerns of their comprised data. In addition to the financial burden caused by the accompanying ransom demand, businesses that facilitate payments to attackers could also be potentially violating sanctions regulations.

The Office of Foreign Assets Control Advisories

On October 1, 2020, the Office of Foreign Assets Control (OFAC) issued an advisory to assist individuals and businesses in responding to ransomware payment demands with associated sanctions risks. The advisory reinforces previous government guidance⁵ not to pay ransomware attackers and goes a step further by issuing a warning to victims—and the businesses that assist victims in facilitating payments—that they could be in violation of U.S. sanctions if remitting payment to individuals or entities in sanctioned jurisdictions or sanctioned parties. The advisory makes specific references to businesses involved in providing cyber insurance and reinsurance, and financial services businesses such as banks and money services businesses, that could be involved in the facilitation of ransomware payments. On September 21, 2021, OFAC updated the advisory⁶ to highlight the sanctions risk associated with ransomware payments and the proactive steps that companies can take to mitigate those risks. In addition, the updated advisory reinforces the importance of mitigating factors (e.g., voluntary self-disclosure, as defined in the OFAC enforcement guidelines).⁷ A brief summary of the substantial changes is as follows:

1. For the first time, OFAC added a virtual currency exchange to the Specially Designated Nationals (SDN) list. The updated advisory designated SUEX OTC, S.R.O. (SUEX), for its role in “providing material support to the threat posed by criminal ransomware actor.”⁸ More than 40% of SUEX’s known payments were associated with sanctions individuals and/or entities, and they involved illicit proceeds from at least eight ransomware variants.
2. OFAC explicitly discourages businesses and individuals from paying ransom demands. The advisory highlights that instead businesses should focus on “strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” The updated advisory recommends that businesses implement the cybersecurity practices included in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Ransomware Guide.”⁹
3. The advisory underscores the significance of the following mitigating factors when OFAC is determining an enforcement response for a potential violation of U.S. sanctions laws and regarding ransomware payments.
   • Existence and sufficiency of a ransomware’s sanctions compliance program
   • Whether the victim of the attack has been implementing the protocols and processes recommended in the CISA’s “Ransomware Guide,” to prevent the attack
   • If the victim of the attack, self-initiated and submitted a report of a ransomware attack to any U.S. law enforcement agency, or other relevant government agencies
   • If the ransomware victim demonstrates “full and ongoing cooperation”¹⁰ with law enforcement

Recommended Mitigating Measures: A Risk-Based Approach to Governance

Considering the increasing threat of ransomware attacks, it is critical that businesses, including financial institutions (FI), revise existing processes and establish effective protocols to identify and manage the sanctions risk of facilitating a ransomware payment.

A risk-based approach entails the mise en place of adequate governance tools and controls and given the regulatory attention to ransomware by the U.S. Treasury Department, FIs should develop a robust ransomware compliance program that is commensurate with the regulatory risk or adjust and enhance their existing processes and procedures to (1) provide for regulatory oversight, and (2) mitigate any sanctions risks, if the ransomware payment is facilitated.

1. Preventative measures and regulatory oversight
   a. As highlighted by OFAC, a risk-based compliance program and procedures would be a significant mitigating factor when enforcement actions are decided against according to the OFAC enforcement guidelines in the event that a ransomware payment is facilitated by the FI.
   b. A risk management committee, conformed by senior leadership and subject-matter experts, is viewed by OFAC as evidence of an entity’s commitment to compliance.
   c. There should be data-driven risk assessment that entails cybersecurity vulnerabilities in the systems, any components of system resilience and any vulnerability in human resources.
   d. Internal controls comprised of, although not limited to, written policies and procedures, including business continuity processes, sufficient enforcement mechanisms of these policies and procedures, record-keeping practices and a clearly defined communication plan to all relevant staff, especially those operating in high-risk roles and functions.
   e. A business continuity plan and process must be in place and should include a robust data backup to ensure that operations are not interrupted or heavily disrupted.
   f. Most attacks begin with phishing and spear phishing, as well as the exploitation of human vulnerabilities. Hence, periodic ransomware and cybersecurity-related training should be readily available for all relevant staff.
2. Mitigating sanctions risks when the ransomware payment is facilitated
   a. Contact law enforcement in consultation with legal counsel.
   b. Conduct risk assessments, including the determination (e.g., if any personally identifiable information has been exposed).
   c. Assess and determine payment and nonpayment options, which must be clearly and robustly documented, and if possible, with the assistance of a federal enforcement agency (e.g., FBI, Royal Canadian Mounted Police [RCMP], among others)

Conclusion

The updated advisory issued by the U.S. Treasury Department further advances the U.S. government’s extensive counter-ransomware strategy and emphasizes the need for improving cybersecurity practices, reporting to U.S. government agencies, collaboration and cooperation between the public and private sector, and maintaining close relationships with international partners, including law enforcement agencies worldwide.

The Treasury also encourages victims of attacks and related businesses (e.g., cyberinsurance companies) to report the attacks and cooperate fully with law enforcement, as soon as practicable, to take advantage of significant mitigating factors to OFAC’s potential enforcement action, such as voluntary self-disclosure credit if a sanctions nexus is determined in the payment of the ransom.

All things considered, a risk-based approach to governance and documentation for FIs, and the implementation of preventative measures as a means to mitigate the regulatory risk—particularly sanctions risks associated with ransomware payments—are the minimum and most reasonable steps that FIs and businesses should take to ensure compliance with the expectations set by OFAC in its advisories.

Noelia Cornejo, senior manager, global sanctions, policies & procedures, Scotiabank

1. “Hackers demand $70 million to end biggest ransomware attack on record,” CBS News, July 6, 2021, https://www.cbsnews.com/news/ransomware-attack-revil-hackers-demand-70-million/
2. Jonathan Vanian, “Everything to know about REvil, the group behind a big ransomware spree,” Fortune, July 7, 2021,
3. Tony Bradley, “When is a Cybercrime and act of CyberWar?” PC World, February 20, 2012, https://www.pcworld.com/article/468398/when_is_a_cybercrime_an_act_of_cyberwar_.html “A cybercriminal is generally motivated purely by profit. That is a different goal than cyber espionage, which seeks to access intellectual property for military or industrial strategic advantage, or cyberwar, which focuses on actually sabotaging infrastructure, disrupting critical systems, or inflicting physical damage on an enemy.”
4. “INTERPOL report shows alarming rate of cyberattacks during COVID-19,” Interpol, August 4, 2020, https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19
5. “Scams and Safety,” Federal Bureau of Investigation, https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware
6. “Department of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” U.S. Department of the Treasury, September 21, 2021 https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf
7. In “31 CFR Appendix A to Part 501 -Economic Sanctions Enforcement Guidelines,” Legal Information Institute, https://www.law.cornell.edu/cfr/text/31/appendix-A_to_part_501 “Voluntary self-disclosure means self-initiated notification to OFAC of an apparent violation by a Subject Person that has committed, or otherwise participated in, an apparent violation of a statute, Executive order, or regulation administered or enforced by OFAC, prior to or at the same time that OFAC, or any other federal, state, or local government agency or official, discovers the apparent violation or another substantially similar apparent violation.”
8. “Treasury Takes Robust Actions to Counter Ransomware,” U.S. Department of the Treasury, September 21, 2021, https://home.treasury.gov/news/press-releases/jy0364
9. “CISA Ransomware Guide” CISA, September 2020, https://www.cisa.gov/stopransomware/ransomware-guide
10. “Department of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” U.S. Department of the Treasury, September 21, 2021, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf