On September 21, 2021, the U.S. Department of the Treasury (Treasury) Office of Foreign Asset Control (OFAC) imposed sanctions on a virtual currency exchange called Suex OTC, S.R.O. (Suex), and published an updated advisory on potential risks for those who facilitate ransomware payments. These coordinated actions represent significant moves by OFAC to target key aspects of the global ransomware ecosystem and to advance the U.S. government’s broader counter-ransomware strategy. By recommending strengthened cybersecurity measures and emphasizing reporting to law enforcement, OFAC’s updated advisory also reflects increasingly tighter collaboration among federal government agencies in their fight against the ransomware threat.
On March 30, 2021, the Supreme Court heard arguments in TransUnion LLC. v. Ramirez, a case in which Respondent Ramirez brought a class action lawsuit against Petitioner TransUnion, alleging that it incorrectly placed a flag on his credit report; the flag suggested that Ramirez was on a list of potential terrorists and criminals maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (the “OFAC list”) because his name was similar to two individuals whose name were on that list. After Ramirez learned he had been flagged, he requested a copy of his credit report from TransUnion. TransUnion sent him a copy of his credit report, which did not include any reference to the OFAC list, and a second mailing indicating that his name was a potential match for a name on the OFAC list. Ramirez sued on behalf of himself and a class of over 8,000 individuals who received similar mailings, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) by (i) incorrectly flagging him as potentially appearing on the OFAC list and (ii) sending him the information about the potential match separately from his requested credit report, which he argued was confusing because the mailing regarding the OFAC list did not include FCRA-required information about how to dispute and correct the incorrect information.
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.1
Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Increasingly, ransomware attacks not only lock data up but steal data from the victim and threaten to publish sensitive files belonging to victims. According to OFAC, ransomware attacks have been increasing over the last two years and are a special risk during the COVID-19 pandemic, with cybercriminals targeting not only large corporations but also small to medium enterprises, hospitals, schools, and local government agencies.2