Department of the Treasury - Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

September 21, 2021

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this updated advisory to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.

Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.

This advisory describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.

View the entire report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

(M) +1 202 640 9159

Related Resources

Advancing Health Podcast
In this podcast John Riggi, AHA’s senior advisor for cybersecurity and Risk, talks to David Ring, section chief of the FBI's cyber engagement and intelligence…
Letter/Comment
Public
The AHA urges the Department of Health and Human Services’ Office for Civil Rights to quickly initiate rulemaking for a legislative provision (H.R. 7898)…
Advancing Health Podcast
Public
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States…
Issue Landing Page
Cybersecurity vulnerabilities and intrusions pose risks for every hospital, and its reputation. The American Hospital Association offers resources for…
Advancing Health Podcast
Public
America’s hospitals and health systems are at risks of attacks that threaten the bio-economy. How do these threats affect patients and citizens and what we can…
Guides/Reports
Learn about AHA cybersecurity resources and services to assist the health care field in mitigating the cyber and physical risks it faces.