On October 1, 2020, the Department of the Treasury issued two related advisories to assist U.S. companies in efforts to combat ransomware scams and attacks. In addition to offering guidance, the advisories note that anti-money laundering and economic sanctions regulations implemented and enforced by Treasury’s Office of Terrorism and Financial Intelligence may be triggered by persons or companies involved in facilitating ransomware payments.
Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The advisory highlights OFAC’s sanctioning and designations of numerous malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program. It notes that companies “that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” The advisory encourages cooperation with law enforcement and offers guidance and U.S. government resources for reporting ransomware attack. It also provides information on the factors OFAC generally considers when determining an appropriate enforcement response to any sanctions violation, such as facilitating certain ransomware payments.
Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The advisory serves to “alert financial institutions to predominant trends, typologies, and potential indicators of ransomware and associated money laundering activities.” It provides information on “the role of financial intermediaries in payments, ransomware trends and typologies, and related financial red flags.” It also reminds U.S. financial institutions of their regulatory obligations to report suspicious activity involving ransomware and information sharing requirements under the USA PATRIOT ACT.