Pandemic Brings Increase in Ransomware Payments Prompting New Advisories from OFAC and FinCEN on Sanctions Risks


By: Caitlin Tubbesing

On October 1st—the first day of National Cybersecurity Awareness Month—the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) warned companies working with victims of ransomware attacks of potential sanctions for facilitating ransomware payments. Ransomware attacks have increased during the COVID-19 pandemic and the resulting shift to remote operations as cyber actors target online systems companies rely on to conduct business. The guidance provides a timely warning to cyber insurers, digital forensics, and financial services institutions that payment of a ransom to a sanctioned jurisdiction or individual may be a violation of OFAC regulations and federal law which could result in sanctions.

As a part of its sanctions program, OFAC has a database of designated malicious cyber actors, including perpetrators of ransomware attacks and facilitators of ransomware transactions, and imposes sanctions on those “who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Pursuant to the International Emergency Economic Powers Act  and the Trading with the Enemy Act, individuals and entities are prohibited from engaging in direct or indirect transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List, in addition to other blocked persons, and those covered by a national or regional embargo. OFAC may impose civil penalties for violating these federal laws irrespective of whether it was known or there was even a reason to know it was engaging in a transaction with a prohibited individual, entity, or jurisdiction.  

The sanctions are intended to target and temper the proliferation of ransomware attack payments, which implicate significant national security concerns. Payments made to sanctioned persons or jurisdictions could be used to fund activities adverse to American interests and policy objectives. Payments may also encourage cyber actors to continue to engage in these attacks. In addition to the national security nexus, OFAC observed that payments are no guarantee that access to stolen data will be restored to the ransomware attack victim.  

Companies working with ransomware attack victims should account for the sanctions risks associated with ransomware payments and implement a risk-based compliance program incorporating the following five components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.  Victims and companies involved in responding to ransomware attacks should also report attacks to OFAC and law enforcement and are encouraged to cooperate with law enforcement before and after the attack. Financial companies responsible for facilitating ransomware payments should determine whether filing a Suspicious Activity Report (SAR) with FinCEN is proper or required.

If you have questions or would like more information, please contact Caitlin Tubbesing at

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**