OFAC Sanctions and Ransomware Payments: US Legal Obligations
The US Office of Foreign Assets Control (OFAC) operates a sanctions enforcement framework that directly affects every organization facing a ransomware demand — regardless of whether the victim initiated contact with a designated threat actor. OFAC's 2020 and 2021 advisories established that ransomware payments to sanctioned entities can constitute strict-liability violations of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), exposing victims, insurers, and negotiation intermediaries to civil and criminal penalties. This page maps the regulatory structure, classification boundaries, enforcement mechanics, and procedural landscape governing ransomware payment decisions under US sanctions law.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps (Non-Advisory)
- Reference Table or Matrix
- References
Definition and Scope
OFAC, a bureau of the US Department of the Treasury, administers and enforces economic and trade sanctions against targeted foreign countries, governments, entities, and individuals (OFAC About Page). Its authority derives primarily from the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701–1708, and the Trading with the Enemy Act (TWEA), 50 U.S.C. § 4301 et seq. The Specially Designated Nationals and Blocked Persons List (SDN List) enumerates individuals and entities with whom US persons — broadly defined — are prohibited from conducting financial transactions.
In the ransomware context, OFAC's scope extends to any US person or entity that facilitates or processes a payment to an SDN-listed ransomware operator, even if the payer did not know the actor was designated. OFAC's September 2020 Advisory and its updated September 2021 Advisory applied this framework explicitly to ransomware payments — covering victim organizations, cyber insurance carriers, financial institutions, and third-party incident response firms that process or facilitate payments.
Designated ransomware threat actors named on the SDN List have included Evil Corp (designated December 2019), the Lazarus Group (designated September 2019 under Executive Order 13722), and Chatex, a cryptocurrency exchange facilitating ransomware proceeds (designated November 2021). For a broader taxonomy of ransomware threat actors operating in this space, see the Ransomware Threat Actors reference.
Core Mechanics or Structure
OFAC sanctions enforcement operates under a strict-liability standard for civil violations. This means that a US person who transfers funds to a sanctioned ransomware operator — even without actual knowledge of the designation — may be found civilly liable (OFAC 2021 Ransomware Advisory). Criminal liability requires knowledge or intent.
The enforcement mechanism proceeds through three structural layers:
SDN List Screening: Before any payment is processed, OFAC's compliance framework requires that the counterparty be screened against the SDN List and applicable sanctions programs. In ransomware incidents, the counterparty is the threat actor — typically known only by a wallet address, a negotiation portal, or a group name. Attribution at the time of payment is frequently incomplete.
License Requirement: Transactions otherwise prohibited by OFAC sanctions require a specific license or general license authorization before proceeding. OFAC may grant specific licenses authorizing payments in exceptional circumstances, evaluated on a case-by-case basis. The 2021 Advisory notes that OFAC will consider a voluntary, self-initiated disclosure and proactive cooperation with law enforcement as significant mitigating factors in penalty determinations.
Penalty Structure: Civil monetary penalties for IEEPA violations are adjusted annually for inflation. As of the figures published by OFAC's Inflation Adjustment of Civil Monetary Penalties, the per-transaction civil penalty ceiling under IEEPA exceeds $350,000 or twice the value of the transaction, whichever is greater. Criminal violations under IEEPA carry penalties of up to $1 million per violation and up to 20 years imprisonment (50 U.S.C. § 1705(c)).
The ransomware cryptocurrency payments landscape complicates screening because blockchain wallet addresses are pseudonymous — OFAC has published specific wallet addresses associated with SDN-listed actors, but new wallets are generated continuously by ransomware operators.
Causal Relationships or Drivers
The intersection of OFAC sanctions and ransomware emerged from a documented pattern: ransomware groups tied to nation-state actors — particularly Russia, North Korea, and Iran — were receiving payment flows from US victims, effectively providing hard currency to designated governments and entities.
Evil Corp's designation arose from its members' alleged ties to Russian intelligence and their operation of Dridex malware and BitPaymer ransomware. The Lazarus Group's designation traces to North Korea's Reconnaissance General Bureau, which OFAC and the US Cyber Command have publicly attributed to state-directed cyber operations. When victims paid these groups, funds flowed — through cryptocurrency conversion chains — toward sanctioned jurisdictions.
The Ransomware-as-a-Service (RaaS) model compounds attribution difficulty. As described in the Ransomware-as-a-Service reference, RaaS platforms allow affiliates — who may themselves be unsanctioned — to deploy ransomware on behalf of a core sanctioned group. The affiliate structure creates ambiguity: a victim negotiating with an affiliate may not know whether the underlying platform operator is SDN-listed.
OFAC's 2021 Advisory directly responded to this driver by stating that the sanctions compliance obligation extends to payments that benefit sanctioned entities, regardless of whether an intermediary affiliate conducts the surface-level negotiation.
Classification Boundaries
OFAC sanctions in the ransomware context divide along four classification axes:
Designated vs. Non-Designated Actors: A payment to a non-SDN-listed group carries no OFAC prohibition, though other legal obligations (FinCEN reporting, FBI notification) may still apply. A payment to or for the benefit of an SDN-listed entity triggers strict-liability civil exposure regardless of knowledge.
US Person vs. Non-US Person: OFAC's prohibitions apply to US persons — defined as US citizens, permanent residents, entities organized under US law, and persons physically located in the United States. Non-US subsidiaries of US parent companies may face secondary sanctions risk depending on the program.
Direct Payment vs. Facilitated Payment: The 2021 Advisory explicitly covers cyber insurance carriers that reimburse ransomware payments, financial institutions that process transfers, and incident response firms that manage payment logistics. Each category falls within OFAC's enforcement reach.
Blocked Property vs. Jurisdictional Sanctions: Some OFAC sanctions programs block property of designated individuals (SDN-based), while others impose broad country-based prohibitions (e.g., North Korea, Iran, Syria, Cuba). Ransomware payments to actors operating infrastructure or receiving funds within comprehensively sanctioned jurisdictions may trigger country-program violations independent of SDN listing.
Tradeoffs and Tensions
The OFAC framework creates a documented structural tension between regulatory compliance and operational recovery. Ransomware victims — particularly in healthcare, critical infrastructure, and municipal government — face situations where payment may appear to be the fastest path to restoring life-safety systems, while the sanctions regime penalizes the same payment if the actor is designated.
The strict-liability standard intensifies this tension: victims cannot guarantee pre-payment attribution. Even sophisticated forensic investigation may not resolve threat actor identity within the operational window of an active incident. OFAC has acknowledged this tension in its 2021 Advisory by indicating that prompt reporting to and cooperation with law enforcement (specifically the FBI, CISA, and Treasury's Office of Cybersecurity and Critical Infrastructure Protection) constitutes a significant mitigating factor — but it does not eliminate liability.
Cyber insurers face a parallel conflict. Policies that cover ransom payments as a covered loss expose carriers to OFAC liability if the payment is made to a sanctioned group. The cyber insurance ransomware sector has responded by adding sanctions exclusion clauses to policies, which shifts the financial risk back to policyholders. This creates an adversarial dynamic between coverage marketed as ransomware protection and the regulatory constraints that limit when that coverage can be applied.
A further tension exists between law enforcement preferences and victim interests. The FBI's official position, consistent with CISA guidance, discourages payment on the grounds that it funds future attacks and does not guarantee data restoration — a position detailed in the ransomware payment considerations reference. However, law enforcement agencies do not bear the operational losses victims sustain during prolonged outages, creating divergent incentive structures.
Common Misconceptions
Misconception: Paying through a third-party intermediary insulates the victim from OFAC liability.
OFAC's 2021 Advisory explicitly addresses this. The use of a ransomware negotiation firm, cryptocurrency broker, or incident response vendor does not transfer or eliminate the originating victim's sanctions exposure. The Advisory states that "companies that facilitate ransomware payments to cyber actors on behalf of victims" are themselves subject to OFAC regulations.
Misconception: OFAC sanctions only apply if the payer knows the recipient is designated.
For civil violations, OFAC applies strict liability — knowledge of designation is not required. Ignorance of a designation is not a legal defense to civil penalties, though it is considered in penalty mitigation calculations alongside cooperation with law enforcement and voluntary disclosure.
Misconception: Small ransom payments below a threshold are exempt.
No de minimis threshold exists in OFAC's ransomware advisory. The penalty ceiling scales with transaction value — "twice the value of the transaction" — meaning that smaller payments generate proportionally lower maximum penalties, but no payment is categorically exempt from scrutiny.
Misconception: Obtaining a decryption key without paying constitutes compliance.
Where a victim obtains decryption through law enforcement action, third-party tool, or backup restoration, no payment prohibition is triggered. Recovery without payment remains the compliance-safe path. See the ransomware recovery without paying reference for structured alternatives.
Misconception: OFAC only targets the threat actor, not the victim.
The Advisory makes clear that victims who pay may themselves be enforcement subjects. The 2021 Advisory specifically states that OFAC "will consider" the totality of circumstances — including whether the victim self-reported — but the enforcement authority over the victim is unambiguous.
Checklist or Steps (Non-Advisory)
The following sequence reflects the procedural steps documented in OFAC's 2021 Ransomware Advisory and related FBI and CISA guidance as the standard pre-payment compliance process. This is a reference description of documented process phases, not legal advice.
Phase 1 — Incident Identification and Containment
- Isolate affected systems to halt encryption propagation (aligned with ransomware incident response frameworks)
- Preserve forensic artifacts: ransom note text, file extension patterns, communication portal URLs, cryptocurrency wallet addresses
- Engage legal counsel with OFAC compliance experience
Phase 2 — Threat Actor Attribution Screening
- Cross-reference observed indicators (group name, ransom note signature, wallet addresses) against OFAC's SDN List (SDN Search Tool)
- Cross-reference against OFAC's published list of cryptocurrency addresses associated with designated actors
- Consult FBI and CISA for attribution intelligence — both agencies have operational resources not publicly available
- Document the screening process and its results contemporaneously
Phase 3 — Law Enforcement Notification
- Report the incident to the FBI (IC3.gov) and to CISA (cisa.gov/report)
- Notification prior to any payment decision is documented by OFAC as a significant mitigating factor
- FinCEN's Advisory FIN-2020-A006 requires financial institutions involved in processing ransomware payments to file Suspicious Activity Reports (SARs)
Phase 4 — OFAC Specific License Application (if applicable)
- If attribution is inconclusive and operational necessity compels consideration of payment, contact OFAC's Compliance Hotline (1-800-540-6322) and consult counsel on specific license application procedures
- Document the application and OFAC's response before any funds transfer
Phase 5 — Post-Incident Reporting
- File voluntary self-disclosure with OFAC if a payment was made to a potentially designated actor without pre-clearance
- Cooperate fully with Treasury, FBI, and CISA post-incident investigations
- Retain all documentation of screening, decision rationale, and communications for a minimum period consistent with applicable records retention requirements
Reference Table or Matrix
| Actor / Entity | Designation Date | Designating Authority | Relevant Sanctions Program | Notes |
|---|---|---|---|---|
| Evil Corp (Maksim Yakubets et al.) | December 5, 2019 | OFAC | Executive Order 13694 (Cyber) | Linked to Dridex, BitPaymer, WastedLocker ransomware; US persons prohibited from paying |
| Lazarus Group | September 13, 2019 | OFAC | Executive Order 13722 (North Korea) | North Korea's Reconnaissance General Bureau; linked to WannaCry 2.0 |
| Chatex (cryptocurrency exchange) | November 8, 2021 | OFAC | Executive Order 13694 | Facilitated ransomware proceeds; one of 3 virtual currency exchanges designated in same action |
| Suex OTC (cryptocurrency exchange) | September 21, 2021 | OFAC | Executive Order 13694 | First virtual currency exchange designated for ransomware facilitation; over 40% of transactions traced to illicit actors (OFAC Press Release) |
| Garantex (cryptocurrency exchange) | April 5, 2022 | OFAC / EU | Executive Order 13694 | Russia-based; designated jointly with EU and coordinated with DOJ action |
| Violation Category | Liability Standard | Maximum Civil Penalty | Criminal Penalty | Mitigating Factors |
|---|---|---|---|---|
| Payment to SDN-listed actor (civil) | Strict liability | Greater of $356,579 per violation or 2× transaction value (OFAC 2024 penalty adjustment) | N/A for civil | Voluntary disclosure, law enforcement cooperation, compliance program |
| Payment to SDN-listed actor (criminal) | Knowledge / intent | $1,000,000 per violation | Up to 20 years imprisonment (50 U.S.C. § 1705(c)) | Cooperation, disclosure |
| Facilitating payment (insurers, IRFs) | Strict liability (civil) | Same as above | Same as above | Same mitigating framework |
| Failure to file SAR (financial institutions) | Knowledge standard | Per FinCEN BSA regulations | Criminal referral possible | Early voluntary cooperation |
References
- OFAC Ransomware Advisory (September 2020) — US Department of the Treasury
- OFAC Updated Ransomware Advisory (September 2021) — US Department of the Treasury
- OFAC SDN List Search Tool — US Department of the Treasury
- OFAC Sanctions Programs and Information — US Department of the Treasury
- [FinCEN Advisory FIN-2020-A006: Ransomware and the Financial System](https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf