Making or Facilitating Ransomware Payments May Violate U.S. Sanctions
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.
OFAC’s advisory neither describes new penalties for ransomware payments nor expands existing law or provides new authority for imposing sanctions. Rather, in releasing its advisory in conjunction with a similar advisory from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), OFAC is sending a clear signal that making ransomware payments with a sanctions nexus threatens U.S. national security interests and that third-party service providers that facilitate ransomware payments on behalf of a victim must consider and ensure compliance with OFAC regulations.
