Communications Litigation Today was a Warren News publication.

US Holding Multilateral Meetings to Counter Ransomware Attacks, Warning Against Payments

The U.S. and more than 30 other countries are meeting virtually this week to discuss how to better counter and disrupt ransomware attacks, including through sanctions, the White House said Oct. 13. The meetings come less than a month after the U.S. sanctioned SUEX, a large virtual currency exchange, for helping to facilitate transactions related to illegal ransomware attacks (see 2109210031). The White House said the Treasury Department “will continue to disrupt and hold accountable these ransomware actors and their money laundering networks,” and the meetings this week could be a forum for discussing multilateral actions.

“We’re bringing the full weight of U.S. government capabilities to disrupt ransomware actors, networks, financial infrastructure, and other facilitators,” a senior administration official told reporters during a call this week. “This event over the next two days is exhibit A of how we’re working with international partners to disrupt ransomware networks, to improve partner capacity for detecting and responding to such activity within their own borders” and imposing consequences on the perpetrators.” Although the U.S. has specifically targeted Russia for harboring and helping ransomware groups, it didn’t invite Russia to participate in this week’s meetings.

Along with the designation of SUEX, Treasury’s Office of Foreign Assets Control also updated an advisory that discourages payments to ransomware actors, which could violate U.S. sanctions. OFAC’s advisory sent a “clear message” that the agency expects companies to defend themselves against ransomware attacks and to pay a ransom only as a “last resort,” Davis Wright said in an October alert. “If a victim company finds itself paying a ransom because it failed to adequately prepare for an attack, and if that payment involves a sanctioned person,” the firm said, “the legal consequences could be severe.”

Brian Fleming, a trade lawyer with Miller & Chevalier, said OFAC expects that “anybody who is part of this ecosystem, part of this world, or has anything to do with ransomware payments, really needs to have an appropriate risk-based compliance program.” He said OFAC “singled out” SUEX as a “co-equal aider and abettor” of cyberattackers after it said more than 40% of SUEX’s “known transaction history” involves illegal activity.

“Long gone are the days that you can plead ignorance of the fact that facilitating these payments or being involved in these payments might not have anything to do with sanctions-related considerations,” Fleming said during an Oct. 6 podcast hosted by his law firm. Tim O’Toole, a Miller & Chevalier lawyer speaking on the same podcast, said the SUEX designation was a “big deal,” partly because the government so clearly voiced its opposition to ransomware payments. “I walk away from this thinking that no reputable company will ever be able to make a ransomware payment again without involving law enforcement,” he said.

Although OFAC’s SUEX designation “garnered significant attention,” it is unclear what kind of “practical effect” it may have on ransomware-related transactions, Davis Wright said. “Most payments to ransomware attackers do not have an apparent nexus to OFAC-sanctioned persons, so whether the Updated Advisory will defer many payments is hard to say.”

OFAC also said most activity on cryptocurrency exchanges is legitimate, so it is also unclear whether the SUEX designation is a “bellwether of enforcement against cryptocurrency exchanges more broadly,” Davis Wright said. “It remains to be seen whether OFAC will focus only on outlier bad actors for ransomware-related sanctions.”