OFAC Warns That Firms Helping Victims With Ransomware Payouts Risk Violating Its Rules

If you assist a ransomware victim in paying out to cyber attackers, you could end up facing civil penalties, OFAC says.

AccessTimeIconOct 5, 2020 at 12:34 p.m. UTC
Updated Sep 14, 2021 at 10:04 a.m. UTC

The Office of Foreign Assets Control (OFAC) has warned that paying out to recover from ransomware attacks can be a breach of its rules.

  • In an advisory issued Friday, OFAC – a wing of the U.S. Department of the Treasury – said there's a sanctions risk with complying with such demands, which have increased since the start of the coronavirus pandemic.
  • The Office specifically pointed to companies that facilitate negotiations with cyber attackers regarding ransomware payouts.
  • Firms including financial institutions, insurance firms and others working in digital forensics, "not only encourage future ransomware payments demands but also may risk violating OFAC regulations," it said.
  • Ransomware is malicious software that propagates across computer networks and will lock up systems using encryption.
  • In order to receive a key to unlock their files and infrastructure, victims normally need to pay out a ransom in cryptocurrency.
  • OFAC cites data from the Federal Bureau of Investigation indicating ransomware demands rose by 37% in from 2018 to 2019, while the level of losses to such attacks rose 147% over the same period.
  • With OFAC responsible for issuing economic and trade sanctions against foreign nations or entities considered to infringe the U.S.'s foreign and security policies, it said that paying ransoms to those on its Specially Designated Nationals And Blocked Persons List could result in fines.
  • Civil penalties can be applied even if the payer did not know the recipient was on the list, the Office warned.
  • Such a situation may be mitigated if the entity facing a ransom demand submits a "timely and complete" report on the attack to law enforcement. Victims should also reach out to OFAC, according to the advisory.
  • The warning came the same day the U.S. Financial Crimes Enforcement Network (FinCEN) issued its own advisory on ransomware, stressing that governmental entities and financial, educational and health care institutions have been seeing more of these attacks.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.