In October 2020, the Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the Advisory), putting into writing guidance to reinforce the prohibition of ransom payments by ransomware attack victims to not only the defined class of Specially Designated Nationals (SDNs) targeted under Treasury’s Cyber Sanctions Program—but also to a broad class of any entities with a “sanctions nexus” to SDNs. The Advisory, however, does not contain any insight into just what constitutes a “sanctions nexus” in the unique context of Treasury’s Cyber Sanctions Program. Nevertheless, the Advisory memorializes OFAC’s ability to impose strict liability on any company that makes the difficult decision to pay a ransom to protect its reputation, business secrets, personal data, and value for shareholders. What is more, the Advisory also specifically warns the ransom negotiators, insurers, and financial institutions that assist victims who make the difficult decision to pay that they, too, may be liable for facilitating a ransom payment with the undefined “sanctions nexus.”
There are plenty of good reasons not to pay a ransom, not least of which is the lack of any guaranty that a threat actor will simply disappear, never to return. But in many instances, without paying, management will be unable to run its business or deliver its goods and services. The decision not to pay can be devastating. For example, when a SamSam attack hit the City of Atlanta in March 2018 (an incident referenced in the Advisory), the City elected not to pay the $51,000 demanded for decryption. The result was an inability to work around the encryption and a cost of $17 million to rebuild its network.
