Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions. This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Ransomware Overview
As illustrated by recent attacks, cybercriminals have increasingly directed ransomware towards multinational companies with the expectation of large payouts. As a type of malicious software, ransomware typically infects a target indirectly through spear phishing attacks using fraudulent emails and websites, or directly through network vulnerabilities. Upon infection, the ransomware disables a victim’s access to its computer data or systems and demands a ransom payment in order to recover access to the victim’s data or network.
As a matter of general policy, the U.S. government “does not encourage paying a ransom to criminal actors” but “understands that . . . executives will evaluate all options to protect their shareholders, employees, and customers.”[1] Facilitated by the increased availability of digital currencies, it is not uncommon for targeted companies to accede to ransom demands in order to avoid costly business disruptions. Companies that decide to make a ransom payment typically do so through a third-party cyber insurance provider or cybersecurity consultant, which then arranges for a Bitcoin payment to the attacker in exchange for a decryption key or tool.
Government Initiatives
Of course, ransomware attacks are not new and there has been a growing chorus of alerts and guidance issued by U.S. authorities over the past few years highlighting the increasing threat and sophistication of attacks.[2] Perhaps more subtle, however, is the groundwork U.S. authorities have laid in recent years to publicly identify malicious cyber actors and cyber threat indicators, and the implications of these developments for companies facing ransomware attacks.
Identifying malicious cyber actors. On April 1, 2015, President Obama issued Executive Order (E.O.) 13694, later amended by E.O. 13757 (Dec. 28, 2016), authorizing the imposition of blocking sanctions on persons directly or indirectly engaged in a number of malicious cyber activities, including, most relevantly, “causing a significant disruption to the availability of a computer or network of computers.” [3] To date, over 100 individuals and entities have been blocked under the Order’s cyber-related sanctions program (i.e., designated on the List of Specially Designated Nationals and Blocked Persons (SDN List) maintained by the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC)).[4] On November 28, 2018, OFAC identified for the first time digital currency addresses associated with sanctioned persons when sanctioning two Iranian individuals involved in the 2015 SamSam ransomware scheme.[5] OFAC signaled in its accompanying press release increased enforcement attention to digital currencies and issued new FAQs providing guidance on blocking digital currencies.[6]
Identifying cyber threat indicators. Separately, the Department of Homeland Security (DHS) has promoted a number of cyber threat information sharing initiatives. On February 13, 2015, President Obama signed E.O. 13691, which directed DHS to help develop Information Sharing and Analysis Organizations (ISAOs) to gather and share information on cyber threats amongst private and public entities across industry sectors and regions.[7] On November 16, 2018, DHS launched the Cybersecurity and Infrastructure Security Agency (CISA) to further facilitate public-private cooperation and information sharing, including through the provision of real-time cyber threat indicators and identifiers. In addition to these government initiatives, for-profit vendors also offer services premised on the same principle of collective defense and information sharing.
The enhanced (if still limited) visibility into cyber threats and their perpetrators resulting from these developments raise important legal considerations for companies facing ransomware attacks, as well as opportunities for risk mitigation.
Applicability of U.S. Economic Sanctions to Ransom Payments
As a general matter, U.S. companies (and, to the extent there is a U.S. nexus to a particular transaction or activity, non-U.S. companies) are subject to U.S. sanctions laws. OFAC has made clear that sanctions compliance obligations apply “[r]egardless of whether a transaction is denominated in a digital currency or traditional fiat currency.”[8] Companies acting within U.S. jurisdiction are therefore prohibited under U.S. economic sanctions from making ransom payments directly or indirectly to a number of categories of actors, including:
- individuals and entities designated on OFAC’s SDN List, including:
- persons designated as malicious cyber actors under E.O. 13694, and
- terrorists (e.g., parties identified as Specially Designated Global Terrorists and Foreign Terrorist Organizations);
- entities 50% or more owned by one or more individuals or entities designated on the SDN List;
- sanctioned governments; or
- persons located, organized, or resident in sanctioned territories (Crimea, Cuba, Iran, North Korea, and Syria)
U.S. authorities view their jurisdiction expansively. Non-U.S. companies are subject to U.S. jurisdiction to the extent that they act within the United States, which includes acting through U.S.-incorporated entities or engaging in transactions involving U.S. goods, persons, or entities. A non-U.S. company seeking to make a ransom payment to a sanctioned entity would thus be prohibited from making U.S. dollar transactions (almost all of which are routed and cleared through the U.S. financial system) for the purchase of digital currencies used for a ransom payment, or engaging with U.S. persons or entities, including U.S.-based digital currency exchanges and intermediaries, in facilitating such payment. Companies operating in Europe are additionally subject to the EU’s recently implemented cyber sanctions.[9]
In addition to the above restrictions, the United States also maintains so-called secondary sanctions aimed at deterring targeted dealings relating to, among other activities, malicious cyber activities outside U.S. jurisdiction. Under E.O. 13694, non-U.S. persons who are determined by the Secretary of Treasury to have “materially assisted” or provided financial support for any persons blocked under the same executive order may themselves become a target of sanctions.[10] While such designations involve considerable U.S. government discretion, in theory any non-U.S. person, regardless of location, potentially risks being designated on the SDN List for making a payment in any currency to a person sanctioned under E.O. 13694.
Practical Considerations
Companies should ensure that their cyber incident response plans include consideration of potential legal liabilities in any risk assessment for engaging with an attacker. In particular, companies should implement (or insist that third-party intermediaries implement) diligence procedures, including sanctions screening, prior to making any ransom payment.
Companies considering a ransomware payment should take particular care where there are indicators that the perpetrator may be a sanctions target. Willful violations of U.S. sanctions, including willfully attempting to violate or aiding and abetting the commission of a violation of U.S. sanctions, may result in criminal liability.[11]
In most circumstances, however, an attacker’s identity cannot be determined with certainty. In these situations, companies assessing the risks of making a ransom payment should nevertheless consider available contextual and other information relating to the potential identity or location of the attacker, as well as private-sector service providers, ISAOs, and U.S. government resources such as CISA and the Federal Bureau of Investigation’s cyber crime unit. Because civil liability under U.S. sanctions operates under strict liability, a company that makes a ransom payment to a sanctioned attacker could be subject to severe monetary penalties regardless of whether a company knew that the attacker was a target of sanctions. And while OFAC is likely to consider the company’s knowledge when determining whether to bring an enforcement action or when calculating the severity of the penalty, OFAC has wide discretion to begin an investigation, which can result in significant burdens on the company and may itself qualify as a disclosable event.
Companies should carefully consider the advantages and implications of engaging with government authorities both before and after making a payment if a sanctioned party received the payment. While companies are not affirmatively obligated to report potential sanctions violations to the government, law enforcement agencies may be able to provide support, including information potentially relevant to an attacker’s identity. Early engagement with the U.S. government and a good faith effort to confirm whether an attacker is a sanctions target could reduce the likelihood of an enforcement action if it is later determined that the attacker was a sanctioned individual or entity.
[1] See U.S. Interagency Guidance, “Ransomware Prevention and Response for CISOs” (July 14, 2016), https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view; Federal Bureau of Investigation, “High Impact Ransomware Attacks Threaten U.S. Businesses and Organizations,” Alert No. I-100219-PSA (Oct. 2, 2019), https://www.ic3.gov/media/2019/191002.aspx. See also U.S. Department of Justice, Report of the Attorney General’s Cyber Digital Task Force (July 2, 2018), https://www.justice.gov/ag/page/file/1076696/download.
[2] In July 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a joint statement with a number of public policy and industry groups, warning of the growing number of ransomware attacks and calling on state and local governments to take “immediate action to safeguard against ransomware attacks.” Dep’t of Homeland Security, “CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action to Safeguard Against Ransomware Attacks” (July 29, 2019), https://us-cert.cisa.gov/sites/default/files/2019-07/Ransomware_Statement_S508C.pdf. In October 2019, the Federal Bureau of Investigation released a Public Service Announcement warning that ransomware attacks “are becoming more targeted, sophisticated, and costly.” Federal Bureau of Investigation, “High Impact Ransomware Attacks Threaten U.S. Businesses and Organizations,” Alert No. I-100219-PSA (Oct. 2, 2019), https://www.ic3.gov/media/2019/191002.aspx. On July 10, 2020, the Security and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Cybersecurity Ransomware Alert, noting that it “has observed an apparent increase in sophistication of ransomware attacks on SEC registrants.” Securities and Exchange Commission, “Cybersecurity: Ransomware Alert” (July 10, 2020), https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf.
[3] Similar country-specific authorities exist with respect to persons engaging in “significant activities undermining cybersecurity” on behalf of the North Korean and Russian governments. See E.O. 13722, Sec. 2(a)(v); Countering America’s Adversaries Through Sanctions Act (CAATSA), Sec. 224.
[4] See e.g., OFAC, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware” (Dec. 5, 2019), https://home.treasury.gov/news/press-releases/sm845.
[5] See our earlier blog post on the designations, available at https://www.clearygottlieb.com/news-and-insights/publication-listing/ofac-lists-digital-currency-addresses-for-first-time-releases-new-guidance.
[6] OFAC, “Press Release: Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses” (Nov. 28, 2018), https://home.treasury.gov/news/press-releases/sm556.
[7] Executive Order 13691, 3 C.F.R. 13691 (Feb. 13, 2015).
[8] U.S. Dep’t of the Treasury, “Press Release: Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses” (Nov. 28, 2018), https://home.treasury.gov/news/press-releases/sm556.
[9] Council of the European Union, “EU imposes the first ever sanctions against cyber-attacks” (July 30, 2020), https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/.
[10] See E.O. 13694 Sec. 1(a)(iii)(B). E.O. 13722, Sec. 2(a)(vii) separately authorizes the imposition of secondary sanctions against persons who materially assist or provide financial support for persons designated under the E.O. for, among other activities, engaging in malicious cyber activities.
[11] Federal criminal law further prohibits knowingly providing “material support or resources” to a Foreign Terrorist Organization, including the provision of “any property, tangible or intangible . . . including currency or monetary instruments.” 18 U.S.C. § 2339A(b)(1). Notably, unlike U.S. primary sanctions, the prohibition against material support applies regardless of whether any conduct related to the offense occurred within the United States. 18 U.S.C. § 2339B(d)(1)-(2).