September 22, 2021

OFAC Updates Ransomware Advisory

Steven Lofchie Commentary by Steven Lofchie

In an updated advisory, OFAC underscored the sanctions risks arising from ransomware payments made in response to "malicious cyber-enabled activities." OFAC stated that ransomware attacks have spiked during the COVID-19 pandemic as a result of increased reliance on online systems for business operations.

OFAC warned companies of the following potential sanctions risks associated with ransomware payments:

  • ransomware payments can be used by criminals with a sanctions nexus to support illegal operations, including activities that are harmful to U.S. national security or are in contravention to U.S. foreign policy objectives; and

  • OFAC may hold civilly liable any individual who unknowingly makes a ransom payment in violation of the International Emergency Economic Powers Act or to an entity on the Specially Designated Nationals and Blocked Persons List ("SDN List").

To reduce the risk of a ransomware attack and related enforcement implications, OFAC recommended that companies:

  • ensure that their sanctions compliance programs take into consideration the risk of a ransomware payment involving any individual or entity on the SDN List or a sanctioned jurisdiction;

  • adopt cybersecurity practices outlined in the Cybersecurity and Infrastructure Security Agency's ("CISA") September 2020 Ransomware Guide, including (i) the maintenance of offline data backups, (ii) the implementation of incident response plans, (iii) cybersecurity employee trainings, (iv) routine antivirus and anti-malware software updates and (v) authentication protocols;

  • voluntarily report ransomware attacks as soon as practicable to the relevant government agencies, including CISA, Treasury's Office of Cybersecurity and Critical Infrastructure Protection, and the Federal Bureau of Investigation; and

  • maintain continued and comprehensive cooperation with law enforcement.

OFAC clarified that it will review license applications involving ransomware payments on a "case-by-case basis with a presumption of denial" because such payments can threaten U.S. national security and foreign policy objectives.


OFAC should clarify on what basis it determines when to permit a company to make ransom payments to save their businesses and when to deny other companies that ability.

Email me about this

Premium Content

Available only to Premium subscribers.