Although it notes that “the U.S. government strongly disfavors the payment of cyber ransom or extortion demands,” the OFAC guidance stops short of prohibiting such payments. Instead, building on the initial October 2020 advisory, it hits the following:
- The ransomware threat is significant and growing.
- Ransom payments to sanctioned organizations or individuals (including those located in comprehensively sanctioned countries/territories) are unlawful and carry significant legal exposure.
- Organizations are expected to take specific steps to reduce their potential sanctions exposure, which requires planning, resources, and other cyber investments.
Meanwhile, OFAC also simultaneously announced that, for the first time, it sanctioned a cryptocurrency exchange (SUEX OTC, also known as Successful Exchange) based on its ties to ransom payments. SUEX has been designated as a Specially Designated National (SDN), imposing asset freezing measures on property subject to U.S. jurisdiction and prohibiting virtually all transactions with any U.S. nexus. Its SDN designation also creates possible secondary sanctions exposure for those who provide “material support” to SUEX…
