Shearman & Sterling LLP
Issue link: https://digital.shearman.com/i/1422677
9 US HIGHLIGHTS SANCTIONS THREAT POSED BY RISE IN CRYPTO- CURRENCY On September 21, OFAC released an "Updated Advisory on Potential Risks for Facilitating Ransomware Payments." The Advisory updates guidance issued last October, which warned of the sanctions risks associated with facilitating ransomware payments in connection with malicious cyber-attacks. The updated guidance highlights new risks arising from the growing use of crypto currencies, and outlines proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be "mitigating factors" in any related enforcement action. The Advisory's release comes amid a notable rise in cyber-attacks against governments and private companies around the world. According to FBI data, the Advisory notes there was a nearly twenty-one percent increase in reported ransomware cases and a 225 percent increase in associated losses from 2019 to 2020. Among the well-publicized attacks which resulted in sanctions designations were the North Korea-linked malware known as "WannaCry 2.0" and the Dridex malware, linked to a Russia-based cybercriminal organization. More recently, malign cyber-actors are demanding that ransom payments be made in virtual currencies. This landscape creates unique risks to those who facilitate ransomware payments, including currency exchanges and traditional financial institutions. OFAC warned that companies who facilitate the ransom payments "not only encourage future ransomware payment demands but also may risk violation OFAC regulations." The Advisory cautions, for example, that ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to U.S. national security and foreign policy objectives. Moreover, assisting victims of ransomware attacks in making payments can run afoul of sanctions, as U.S. persons are prohibited from engaging with Specially Designated Nationals subject to sanctions for cyber- attacks. Non-U.S. persons, too, can be punished for taking actions that cause a U.S. person to engage in dealings with sanctioned persons and jurisdictions. To meet the compliance challenges posed by this evolving landscape, the Advisory sets forth certain measures to help reduce the risk of sanctions violations. Specifically: