OFAC (Office of Foreign Assets Control) is the agency within the U.S. Department of the Treasury that administers U.S. economic and trade sanctions. It publishes the Specially Designated Nationals (SDN) list of sanctioned persons and entities.

Can I legally pay a ransomware demand?

Not if the recipient is on the OFAC SDN list or is in a sanctioned jurisdiction. OFAC enforces sanctions under strict-liability standards, meaning penalties can apply even if you did not know the recipient was sanctioned. Always run an OFAC check before payment.

What mitigating factors does OFAC recognize?

Full and timely cooperation with law enforcement (especially FBI), self-initiated reporting to OFAC, implementation of a sanctions compliance program, meaningful remediation of the underlying compromise, and pre-incident due diligence on insurance and DFIR vendors.

Does OFAC require reporting of a ransom payment?

OFAC does not directly require reporting. CIRCIA (administered by CISA) will require reporting of ransom payments within 24 hours under the final rule. Working with OFAC and CISA in parallel is the standard practice.

Who is liable under OFAC for a ransom payment?

Any U.S. person or company involved in facilitating the payment, including the victim, the cyber insurer, the DFIR firm, the financial institution, and the cryptocurrency exchange. Strict-liability standards mean unintentional violations are still actionable.

OFAC - Office of Foreign Assets Control

The Office of Foreign Assets Control (OFAC) is the agency within the U.S. Department of the Treasury that administers and enforces U.S. economic and trade sanctions. In the cyber incident response context, OFAC is most relevant when an organization considers paying a ransom: paying a ransom to a sanctioned person or jurisdiction, even unwittingly, can violate U.S. law and result in penalties under strict-liability standards.

Source: OFAC Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (most recent September 2021, updates ongoing).

The OFAC Ransomware Advisory

OFAC's updated ransomware advisory (most recently September 2021) warns that companies, financial institutions, cyber insurance firms, DFIR firms, and others involved in facilitating ransomware payments may face civil penalties under the strict-liability standards of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), even if they did not know the payment recipient was sanctioned.

Mitigating Factors

OFAC's advisory identifies mitigating factors that may reduce the likelihood of enforcement action:

Full and timely cooperation with law enforcement, particularly FBI and CISA
Self-initiated, timely report of the incident to OFAC and law enforcement
Implementation of meaningful steps to remediate the underlying compromise
Existence of a sanctions compliance program with sanctions screening before payment
Pre-incident due diligence on cyber insurance and incident response vendors

OFAC Sanctions and Ransomware Actors

OFAC has sanctioned a growing list of ransomware actors and facilitators, including specific persons associated with REvil, Trickbot, Conti, and others; cryptocurrency mixing services (Tornado Cash, Sinbad); and exchanges (SUEX, Chatex, Garantex). The OFAC SDN (Specially Designated Nationals) list is updated continuously and must be checked before any ransom payment.

Run OFAC checks before payment decisions

IR-OS captures the OFAC screening, law enforcement notification, and sanctions analysis required before any ransom payment decision.

Start free

OFAC - Office of Foreign Assets Control

The OFAC Ransomware Advisory

Mitigating Factors

OFAC Sanctions and Ransomware Actors

Related Terms

Run OFAC checks before payment decisions