Sobel & Co. LLC,  accounting firm livingston,  accounting firm livingston

Sobel and Co Secure File Sharing  Sobel and Co Site Search

Sobel and Co Client Portal Access  Pay My Bill at SobelCo

973-994-9494 Sobel and Co LinkedIn PageSobel and Co Facebook PageSobel and Co BlogSobel and Co Facebook Page

New Advisories on Ransomware Payments

Print Friendly, PDF & Email


Both the Financial Crimes Enforcement Network (FinCEN) and the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) have issued recent advisories concerning ransomware payments.[1]

Ransomware attacks occur when a cyber actor uses malicious software (“malware”) to block access to a computer network or data, and offers to restore access in exchange for payment of ransom. Ransom is generally demanded in the form of some type of cryptocurrency, such as Bitcoin, Ethereum, or Monero, as they lend a level of anonymity desired by criminals that fiat currencies do not provide.

As potential victims of ransomware attacks have become more vigilant about making sure they have data backups that will allow them to mitigate the risk of an attack, the cyber actors have become more sophisticated in their schemes, and many now threaten to dox their victims, or release sensitive data to the public, if the ransom is not paid.

FinCEN and OFAC are warning against the facilitation of ransomware payments, not only because it encourages future ransomware payment demands, but doing so may cause you to unwittingly run afoul of national security objectives and financial regulations.

Businesses such as digital forensics and incident response (DFIR) companies and cyber insurance companies (CIC) may assist clients in making ransomware payments by receiving and converting their clients’ fiat currencies into the cryptocurrencies generally demanded by ransomware attackers, and transferring the ransom to the attackers’ specified accounts. Depending on the circumstances, engagement in such activity may constitute money services business activities. An entity involved in such activities is required to register as a Money Services Business with FinCEN and comply with Bank Secrecy Act (BSA) obligations, including filing suspicious activity reports (SAR).

OFAC has designated a number of individuals and organizations associated with cybercrimes under its cyber-related sanctions program and other sanctions programs. Facilitating ransomware payments to one of these designees may assist the advancement of, and enable them to profit from, their nefarious activities, undermining the national security and foreign policy objectives of the United States, and violating OFAC’s Economic Sanctions Enforcement Guidelines. Additionally, if these cybercriminals are listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), are other blocked persons, or are covered by comprehensive country or region embargoes, U.S. persons are generally prohibited from engaging in direct or indirect transactions with them under the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA).

Should you fall victim to a ransomware attack and decide there is no other remedy but to pay the ransom, be aware that there may be national security and financial regulatory implications to this course of action, and it isn’t just about getting your data back. Financial institutions and other money services businesses are being advised by OFAC and FinCEN to look for red flag indicators of ransomware and associated illicit payments. If you are working with a DFIR or CIC to resolve the situation, ask how they are keeping on the right side of OFAC and FinCen requirements, so your efforts to retrieve your data assets don’t result in much bigger problems with the U.S. government.

Rebecca Fitzhugh, CPA/CFF, CFE, MBA, CIT, CIGA
Member of the Firm, Forensic Accounting/Litigation Services