As cybersecurity incidents increase, OFAC revises policy on ransomware

It’s no secret the frequency and impact of cybersecurity incidents involving ransomware have increased dramatically. In 2020, nearly 2,400 U.S.-based governments, healthcare facilities, and schools were victims of the attacks, according to a report from the Institute for Security and Technology (IST). The average payment rose 171% to $312,493. A survey of 5,000 IT managers indicated 51% had been attacked by ransomware in the previous year. In response, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory revising its policy on potential sanctions for companies that make ransomware payments.

Ransom payments strongly discouraged

The OFAC’s revised policy emphasizes the U.S. government strongly discourages all private companies and citizens from paying ransom or meeting the extortion demands. Instead, the focus should be on strengthening defensive and resilience measures to protect against the attacks.

The policy prohibits any direct or indirect transactions to malicious cyberactors who have been designated under the OFAC’s cyber-related sanctions program. The advisory indicates the transactions are prohibited because the ransomware payments may (1) allow those who have been sanctioned to “profit and advance their illicit aims” and (2) “not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks.”