The coordinated designation of individuals under both the UK and US cyber sanctions regimes, in an effort to combat ransomware attacks, highlights the importance for the victims of ransomware attacks of considering due diligence and reporting obligations, as summarised in UK guidance released on the same day.
Last week, UK and US regulators designated seven Russian individuals, alleged to be associated with the Trickbot Group, a Russia-based cybercrime gang responsible for the development and deployment of ransomware attacks. These sanctions are the first of their kind imposed by the UK, and reflect the US and UK governments’ follow-through on a “campaign of coordinated action against ransomware actors.” This multilateral campaign stemmed from the National Crime Agency’s (NCA) identification of ransomware strains known as Conti and Ryuk that had targeted individuals, universities, and hospitals in the UK and USA.
These new designations coincide with the publication of new guidance, also on 9 February 2023, by the UK Office of Financial Sanctions Implementation (OFSI) on the sanctions risks involved in making or facilitating a ransomware payment which may involve a sanctioned person. We discuss practical steps companies may take to mitigate sanctions risks and key takeaways below.
Sanctions risks of ransomware payments
Companies which are victims of future ransomware attacks should take the new designations into account when deciding whether to make a ransomware payment, because a payment which ends up with any of these individuals, or with an entity that they own or control, risks breaching sanctions.
The United Kingdom and United States’ coordination on the designation of these individuals emphasises that companies who fall victim to ransomware need to consider potential sanctions and practical risks when deciding whether to make a ransomware payment, whether or not the Trickbot Group is involved. Many ransomware threat actors are already the subject of sanctions, and even dealings with non-sanctioned attackers may risk indirect dealings with sanctioned persons or territories. As the one-year anniversary of Russia’s invasion of Ukraine (and the imposition of related sanctions) approaches, this action shows the United Kingdom and United States’ increasing willingness to use their powers in a coordinated way, not only under the Russia sanctions, but under cyber sanctions, to target illicit Russian actors.
The general sanctions risks of making ransomware payments are summarised in the OFSI’s newly published ‘Ransomware and Sanctions’ guidance (the OFSI Guidance), which explains the UK government’s position that “HMG does not condone making ransomware payments”, as well as outlining steps which potential and actual ransomware victims should take. The US Treasury Department’s Office of Foreign Assets Control (OFAC) has published similar guidance that “strongly discourages the payment of cyber ransom or extortion demands” (the OFAC Guidance).
Practical steps for companies under new OFSI Guidance on ransomware payments
The OFSI Guidance sets out the framework of UK sanctions relevant to ransomware attacks, describes the potential sanctions risks of making ransomware payments, and suggests “mitigating steps” ransomware victims may take. The OFSI Guidance is also instructive for potential ransomware victims in any jurisdiction and is consistent with US ransomware and sanctions guidance.
Additionally, the OFSI Guidance states that OFSI and the NCA will take into account a company’s “mitigating steps” when deciding on how to disposition a ransomware investigation: “If the mitigating steps outlined above are taken, the OFSI and the NCA would be more likely to resolve a breach case involving a ransomware payment through means other than a monetary penalty or criminal investigation.”
These “mitigating steps” include:
- due diligence on the prospective payee;
- reporting ransomware attacks to the relevant authorities, via the “Where to Report a Cyber Incident” government online portal;
- “prompt and complete” voluntary disclosure of the payment to OFSI as soon as practicable.
These mitigating steps largely mirror the steps described in the OFAC Guidance, which states that OFAC will consider various actions as ‘significant’ mitigating factors in an OFAC enforcement response; namely, (1) the existence, nature, and adequacy of a sanctions compliance program; (2) implementing and improving cybersecurity practices (e.g., maintaining offline backups of data, developing cybersecurity incident response plans, and regularly updating anti-malware software); and (3) reporting a ransomware attack to appropriate agencies.
The OFSI and OFAC Guidance demonstrate that regulators have substantial compliance and cybersecurity expectations of companies. Taking steps now may not only help a company safeguard against a ransomware attack, but having in place and executing on a plan that is consistent with the Guidance may also help mitigate against potential sanctions risks and even penalties for making or facilitating a ransomware payment to a sanctioned person.
Looking forward
It is likely that UK and US regulators will continue to increase – and cooperate on – investigatory and enforcement activities related to ransomware victims. Additionally, OFSI and OFAC’s recent flexing of their cyber sanctions powers suggests that UK and US authorities may well be willing to use these powers to target individuals and companies unrelated to Russia that threaten UK and US national security interests. As stated by NCA Director-General Graeme Biggar, the United Kingdom “will continue to deploy our unique capabilities to expose cyber criminals and work alongside our international partners to hold those responsible to account, wherever they are in the world.”
