On November 8, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) designated a virtual currency exchange, Chatex, and its infrastructure support providers on the list of Specially Designated Nationals and Blocked Persons (SDN List) for their role in facilitating financial transactions for ransomware actors.[i]  The Financial Crimes Enforcement Network (FinCEN) also released an updated advisory on ransomware and the use of the financial system to facilitate ransomware payments.[ii]  These actions were taken in furtherance of a coordinated “whole-of-government” effort to disrupt criminal ransomware actors and the virtual currency exchanges used to launder ransom payments around the world.
Continue Reading OFAC Ramps up Targeting of Ransomware-linked Actors and FinCEN Updates Ransomware Advisory

In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2]  Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3]
Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

U.S. authorities take an expansive view of their jurisdiction when it comes to sanctions. They cannot, however, directly restrict persons outside U.S. jurisdiction from dealing with sanctioned persons. They therefore exert pressure on persons outside U.S. jurisdiction by threatening to designate them as sanctioned persons if they engage in certain activities contrary to U.S. sanctions policy (“Target Activities”). Sanctions imposed in such circumstances are known as ‘secondary sanctions’, and were the topic of the September 2019 judgment of the High Court of England and Wales in Lamesa Investments v. Cynergy Bank. In a ruling that will surprise many, the Court found that the risk of incurring secondary sanctions could be invoked by a party seeking to be excused from its contractual obligations under an illegality clause. While the Court’s interpretation of secondary sanctions appears questionable in several respects, parties will nonetheless need to take it into account when drafting contractual provisions.
Continue Reading High Court of England: U.S. Secondary Sanctions can Trigger Illegality Clauses