December 2021 Foodman Website and JD Supra
Ransomware Attack

Prevention is Key, Sanctions Are Possible for Ransomware Attack

During the first half of 2021, 68 different ransomware attacks extracted approximately $600 million from victims across the United States. The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) says that the attacks have become more focused, sophisticated, and costly.

It’s not hard to imagine the public panic resulting from a massive ransomware attack that prevented consumers from accessing their funds. The wider economy could also be at stake from a significant attack. Fortunately, costly disruption of virtual and traditional financial systems can be minimized with effective mitigation.

The Treasury Department’s Office of Foreign Assets Control (OFAC) has updated its potential sanctions risks for noncompliance with ransomware guidelines. For the first time, OFAC equates the role of traditional financial institutions and the digital currency sector. It advises both to implement risk-based compliance programs to mitigate exposure to sanctions violations.

Fiat and virtual currencies have equal responsibility

The Treasury Department is combining OFAC and FinCEN efforts to combat ransomware attacks.  It is leveraging existing fiat currency controls and enforcing them more deliberately toward virtual currency.

FinCEN identified Bitcoin as the most commonly requested ransomware payment method. Ransomware attacks requesting difficult-to-trace cryptocurrency are increasing as hackers seek to reduce their transparency and traceability.

OFAC strongly recommends that the fiat currency and virtual currency sectors focus on strengthening defensive measures to prevent ransomware attacks. Noncompliance with OFAC sanctions guidelines could trigger fines, and criminal penalties, as well as adverse publicity.

Like financial institutions, the virtual currency industry must block access to fiat or virtual transactions prohibited by sanctioned persons or entities. They also must implement necessary controls, detailed in Treasury Department FAQ No. 646).

OFAC’s Sanctions Compliance Guidelines

Although OFAC is not a bank regulator, it requires that financial institutions do not violate the laws that it administers. It expects both FIs and the virtual currency industry to establish a robust OFAC compliance program and develop internal audit procedures.

Among the recommendations in the OFAC’s Guidelines, these sectors should:

  • Implement comprehensive cyber defenses and controls, backed up by regular monitoring of their effectiveness. OFAC will evaluate the adequacy of these programs when determining its penalty response.
  • Ensure that if one control fails to identify or prevent an attack, other controls will be able to limit its impact.
  • These controls should be able to identify, interdict, escalate, report and maintain records for prohibited transactions or activities.
  • Maintainoffline backups of data, develop incident response plans and institute cybersecurity training,
  • Regularly update antivirus and anti-malware software and employ authentication protocols.
  • Use sanctions screening tools. These compare customer information against sanctions lists to discover potential links to sanctioned persons. This may also involve risk-based rescreening to account for updated customer information and changes to sanctions lists and regulatory requirements.
  • Monitor for red flags, which include, among other things:
    • new users providing incomplete KYC information (and not responding to prompts for more information)
    • attempts to access a virtual currency from an IP address or VPN connected to a sanctioned jurisdiction
    • attempts to transact with a virtual currency address associated with a sanctioned person or jurisdiction,
    • any behavior that indicates money laundering.
  • Institute geolocation and IP address blocking controls, which can prevent access by persons in sanctioned jurisdictions. Notably, the Guidance suggests using analytics tools to prevent IP masking via VPNs. These are a common tool used to circumvent geographic restrictions.
  • Follow Know Your Customer (KYC) procedures. These include verifying identity information such as date of birth, bank information, government identification and documents.
  • Monitor transactions and use  investigation software, which can identify, flag and block transactions with persons or entities on OFAC’s sanctions lists.
  • Refer to OFAC’s list of known virtual currency addresses of sanctioned persons, entities, governments or regions.
  • Conduct due diligence on customers, partners and transactions to identify red flags.
  • Understand that there are potential sanction risks associated with making and facilitating ransomware payments.

Additionally, the US Government:

  • Strongly discourages all private companies and citizens from paying ransom or extortion demands.
  • Wants you to contact law enforcement, including OFAC. Provide ongoing cooperation in any ransomware attack. Be especially vigilant if the demand is made by a person or entity that may be sanctioned. ©