Lawyer Commentary JD Supra United States OFAC Issues Advisory on Ransomware Payments

OFAC Issues Advisory on Ransomware Payments

Document Cited Authorities (1) Cited in Related

On October 1, 2020, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding the potential sanctions risk for entities that facilitate ransomware payments.1 OFAC defined “ransomware” as:

  • A form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.

During a ransomware attack, cyber actors often threaten to expose personal information and demand payment in exchange for the key to decrypt the files and restore user access. OFAC noted that ransomware attacks have increased exponentially over the last three years and have intensified during the COVID-19 pandemic. Due to the significant risk in this area, companies should consider having policies and procedures that integrate cyber security as a pillar for any export control program.

As a part of its sanctions enforcement efforts, OFAC designates individuals and entities that are owned or controlled by, or acting for or on behalf of, targeted countries as “Specially Designated Nationals" (SDNs). OFAC also designates certain individuals, groups, and entities, such as terrorists and narco-traffickers that are not country-specific as SDNs. Collectively, these individuals and entities are placed on a list published on the Department of Treasury’s website.2 Pursuant to the International Emergency Economic Powers Act and the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with SDNs. OFAC is empowered to issue civil penalties for violations of these federal statutes.3

In the recent advisory, OFAC warns against ransomware payments made to sanctioned persons or SDNs. OFAC notes that it can impose civil penalties based on strict liability, meaning that liability can attach even if the individual or entity did not know that it was engaging in a transaction with a person on the SDN list. OFAC advised that these laws and regulations also apply to companies that engage with victims of ransomware attacks, particularly those that facilitate ransomware payments, such as cyber-insurance companies.

The advisory lists a number of factors that OFAC will consider in the event there is a violation of sanctions laws and regulations related to a ransomware attack.

First, OFAC...

Get this document and AI-powered insights with a free trial of vLex and Vincent AI

Start a free trial

Experience vLex's unparalleled legal AI

Access millions of documents and let Vincent AI power your research, drafting, and document analysis — all in one platform.

Start a free trial

Start Your 3-day Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant

  • Access comprehensive legal content with no limitations across vLex's unparalleled global legal database

  • Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength

  • Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities

  • Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting

vLex

Start Your 3-day Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant

  • Access comprehensive legal content with no limitations across vLex's unparalleled global legal database

  • Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength

  • Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities

  • Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting

vLex

Start Your 3-day Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant

  • Access comprehensive legal content with no limitations across vLex's unparalleled global legal database

  • Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength

  • Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities

  • Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting

vLex

Start Your 3-day Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant

  • Access comprehensive legal content with no limitations across vLex's unparalleled global legal database

  • Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength

  • Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities

  • Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting

vLex

Used by the world's leading companies

Herbert Smith Freehills Logo Princeton University Logo University of Oxford Logo K2 Intelligence LLC Logo Bryan Cave Leighton Paisner LLP Logo Kobre & Kim LLP Logo Wiley Logo ABA Logo Perez Lorca Logo Fisher Phillips Logo
vLex Footer Logo
© 2025 vLex. All rights reserved.