Payback for ransomware may violate OFAC’s regulations

  • Issue crypto transaction in case of a ransomware attack may violate OFAC regulation
  • This Advisory has been published following the surge of ransomware during COVID-19 pandemic
  • License applications involving ransomware payments will be reviewed by OFAC on a case-by-case basis with a presumption of denial
  • In case of ransomware, OFAC advises the victim to contact them before taking any actions
  • OFAC highlights the necessity to implement a risk-based approach to deal with these cases

This month, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning that companies that help ransomware payments to cyber attackers on behalf of victims may risk violating OFAC regulations.

Ransomware is a kind of malicious software that can block access to a computer system or data by encrypting. To get back the access, the victims have to pay the attackers a ransom, very often in cryptocurrency because of its anonymous nature and easy to proceed transactions. 

This Advisory was published in the context of the surge of the demand for ransomware payments in recent years, especially during the COVID-19 pandemic.

Many malicious cyber actors have been designated under OFAC sanctions programs, including ransomware attackers and those who facilitate ransomware transactions. The OFAC’s advisory indicated that ransomware payments with a sanctions nexus endanger the U.S. National security interests. Civil penalties may be imposed on those who engage in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by a comprehensively embargoed jurisdiction. 

This advisory concerns financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).

Besides, license applications involving ransomware payments will be reviewed by OFAC on a case-by-case basis with a presumption of denial. At the end of the Advisory, OFAC encouraged victims and those involved with addressing ransomware attacks to contact OFAC as soon as possible.

How Scorechain Blockchain Analytics can help to mitigate risk?

To mitigate exposure to these sanctions-related violations, OFAC encourages all concerned companies to implement a risk-based compliance program. Particularly, these companies should account for the risk that a ransomware payment may involve an SDN (Specially Designated National) or a blocked person, or a comprehensively embargoed jurisdiction. 

With a transparent risk assessment methodology, Scorechain Blockchain Analytics helps worldwide crypto-related businesses in 29 countries implement a risk-based approach to be compliant with crypto AML regulations. With our solution, it is easy to follow the funds and to have proper AML internal controls in place. Especially, the risk indicators, such as “scam” as entity type or any high-risk jurisdiction, can be triggered and the users will be alerted when the funds are involved with ransomware incidents or any sanction list.

Besides, while evaluating an enforcement outcome, OFAC will consider a significant fact if a company has provided “self-initiated, timely, and complete report of a ransomware attack to law enforcement” and if it has “full and timely cooperation with law enforcement both during and after the attack”. 

Scorechain Blockchain Analytics provides a comprehensive reporting system to help compliance teams in crypto companies fulfill their reporting obligations for accounts monitoring, suspicious activity reporting, including KYT/KYA report, balance/transaction history, and incoming/outgoing scoring for each address/entity.

Want to mitigate the risk of any possible regulation violation? Contact us at, our crypto compliance experts will be glad to advise you.