U.S. to buckle down on crypto payments in ransom cyberattacks- A push against a booming criminal industry


By: Julia Bover

The Wall Street Journal reported last week that the Biden administration is “preparing an array of actions” to combat the ransomware epidemic by targeting the digital currency market as early as this week. Sanctions on cryptocurrency were discussed as being imminent, but the Treasury Department declined to comment for the story, leaving many to wonder exactly what shape the regulations will take.  A CNBC headline on the same day suggesting that the Executive branch will “ban” cryptocurrency payments to ransomware threat actors furthered the much-disputed suggestion that the cyber-crime problem could be eliminated by one bold act of rulemaking.   

Prior actions by the government may indicate where all this is heading. On August 30, 2021, the Treasury Department proposed new reporting requirements for international cryptocurrency transactions and for transactions that are conducted outside of central cryptocurrency exchanges. This was the first major step since October 2020, when the Treasury’s Office of Foreign Assets Control (OFAC) released guidance clarifying that ransomware payments to entities on OFAC’s Specifically Designated National and Blocked Persons List, also known as the SDN List, could violate U.S. laws and leave entities strictly liable for monetary sanctions. Simultaneously, the Financial Crimes Enforcement Network (FinCEN) published its own advisory targeting money services businesses (MSBs) engaged in activities like the conversion of fiat currency into convertible virtual currency and transmitting those funds to crypto exchanges. The FinCEN advisory states that those MSBs are required to register with FinCEN and are subject to Bank Secrecy Act obligations, including requirements to file Suspicious Activity Reports (SARs)) and the Treasury Department’s OFAC requirements.   

Further restrictions on U.S. businesses when they are subject to a ransomware attack could have significant impacts. Attacks on businesses that do not have viable backup solutions to restore data that is otherwise lost to a ransomware attack could jeopardize the business’s survival and the people it employs, as well as the consumers who use their products or services. In those situations, purchasing a decryption key from the threat actor may be the only available and feasible solution. More recently, companies must also consider the harm caused by unauthorized acquisition of the company’s private data, including Personal Identifiable Information (PII) or Protected Health Information (PHI), as most ransomware groups now also steal data from the company’s network before encrypting its files. Faced with that scenario, some businesses understandably feel a responsibility to make a ransom payment to avoid further disclosure of the stolen information.  

At the same time, one cannot deny that continued payment of ransoms to cybercriminal organizations has contributed to the proliferation of attacks in recent years, and that action is needed to combat this growing problem. Ultimately, it will take significant effort by legislators and industry stakeholders to create real change in the digital currency landscape that positively impacts the cybercrime epidemic and balance the competing interests involved. We will continue to monitor these developments and provide further advisories here. In the meantime, please contact Julia Bover at or another attorney in our Data Security, Privacy & Technology practice group if you have further questions.