Treasury issues updated guidance on ransomware payments

The U.S. Department of Treasury’s Office of Foreign Assets Control issued updated guidance Wednesday on potential sanctions risks for facilitating ransomware payments, stating it will consider the reporting of ransomware attacks to government agencies in enforcing its policy.

The guidance is essentially the same as the one issued by OFAC last October in warning that the U.S. government “strongly discourages” all private companies and citizens from paying ransom or extortion demands.

An added section labeled “Cooperation with OFAC and Law Enforcement,” states another factor it will consider under its enforcement guidelines is reporting ransomware attacks to appropriate government agencies “including whether an apparent violation of U.S. Sanctions is voluntarily disclosed.”

In these cases, it said, it would be “more likely” to issue a “non-public response,” such as a “No Action” or “Cautionary” letter, the new guidance said.