OFAC Sanctions and Ransomware Payments: US Legal Obligations

The Office of Foreign Assets Control (OFAC) imposes strict legal prohibitions on financial transactions with sanctioned individuals, entities, and jurisdictions — prohibitions that apply directly to ransomware payments when the recipient threat actor or group has been designated under US sanctions law. Organizations facing ransomware extortion must navigate these obligations simultaneously with incident response, business continuity pressures, and potential notification requirements under separate regulatory frameworks. This page covers the legal structure of OFAC's ransomware-related sanctions authority, the mechanics of designation and liability, classification boundaries, and the documented tensions between paying to recover operations and violating federal law.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix
• References

Definition and scope

OFAC is a financial intelligence and enforcement agency operating within the US Department of the Treasury. Its authority derives from multiple statutory sources, including the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701–1708, and the Trading with the Enemy Act (TWEA), 50 U.S.C. § 4301 et seq. OFAC administers and enforces economic and trade sanctions against foreign countries, governments, entities, and individuals by maintaining the Specially Designated Nationals and Blocked Persons List (SDN List), accessible at OFAC's official SDN portal.

In the ransomware context, OFAC's scope is defined by its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, first issued October 1, 2020, and updated September 21, 2021. That advisory identifies ransomware operators who have received formal SDN designations — among them Evil Corp (designated December 2019), the Lazarus Group (designated September 2019 under Executive Order 13722 and 13694), and Chatex (designated November 2021). Paying ransom to any of these designated actors — or to any entity they own or control at 50 percent or more — constitutes a potential violation regardless of whether the payer knew of the sanctioned status at the time of payment (OFAC, 2021 Updated Advisory).

The ransomware providers on this platform provide categorized references to known threat groups, some of which carry active SDN designations relevant to payment decisions.

Core mechanics or structure

OFAC's enforcement mechanism rests on a strict liability standard for certain violations. Under 31 C.F.R. Parts 500–598, a US person — including any company incorporated in the United States and any foreign branch of a US entity — that engages in a prohibited transaction may be liable even absent actual knowledge that the counterparty was sanctioned. This strict liability framework distinguishes OFAC enforcement from most criminal law, where mens rea (intent) is required for conviction.

The process by which a ransomware actor becomes a sanctioned entity follows a designation pathway:

1. Identification: The Treasury Department, in coordination with the intelligence community and law enforcement, identifies a threat actor responsible for ransomware campaigns meeting the threshold criteria under the applicable executive order.
2. Designation: The actor is added to the SDN List under one or more legal authorities. Designations related to ransomware most commonly invoke Executive Order 13694 (malicious cyber-enabled activities) or Executive Order 13757 (amended version), and Executive Order 13722 (North Korea-specific authorities).
3. Publication: The designation becomes publicly available on OFAC's SDN List and in the Federal Register. All US persons are constructively notified upon publication.
4. Blocking: Any property or interests in property subject to US jurisdiction belonging to the designated person must be blocked and reported to OFAC within 10 business days (31 C.F.R. § 501.603).

When a ransom payment reaches a designated actor, the transaction constitutes a "transfer" under 31 C.F.R. § 501.311, triggering potential civil and criminal penalties. Civil penalties under IEEPA reach up to $356,579 per violation (adjusted for inflation; see OFAC Civil Penalties and Enforcement Information) or twice the value of the transaction, whichever is greater. Criminal penalties can reach $1 million per violation and 20 years imprisonment under 50 U.S.C. § 1705(c).

Causal relationships or drivers

The convergence of OFAC sanctions enforcement and ransomware payments is driven by deliberate US government policy linking cybercrime disruption to financial network interdiction. Three structural factors explain why this intersection has intensified since 2019.

State-sponsored actor designation: A significant share of high-volume ransomware operations has been attributed by US government agencies to actors affiliated with sanctioned states. The Lazarus Group, attributed by the US government to North Korea's Reconnaissance General Bureau, has been linked to ransomware campaigns including WannaCry (DOJ Press Release, September 2018). North Korea faces comprehensive sanctions under multiple executive orders and statutory regimes, meaning any payment to Lazarus-affiliated infrastructure carries sanctions risk irrespective of whether the paying organization identified the actor.

Cryptocurrency traceability: OFAC and the Financial Crimes Enforcement Network (FinCEN) have increasingly been able to trace cryptocurrency payment flows through blockchain analytics, identifying post-payment disbursement to wallets controlled by designated entities. The 2022 Tornado Cash designation (OFAC, August 8, 2022) illustrates how OFAC can designate mixing infrastructure rather than only end actors.

Proliferation of cyber-specific executive orders: Executive Order 13694, signed April 1, 2015, and its 2016 amendment via Executive Order 13757, created a standing legal architecture for designating malicious cyber actors without requiring a connection to a state sponsor. This expanded the designation-eligible population to include purely criminal ransomware groups.

The ransomware provider network purpose and scope page outlines the broader landscape of threat actors and how this platform structures its coverage.

Classification boundaries

OFAC sanctions risk in ransomware payments is not uniform across all scenarios. The following distinctions define the classification boundaries for legal exposure:

Designated vs. non-designated actors: Payment to a non-designated ransomware group carries no direct OFAC violation, though it may still implicate FinCEN reporting obligations and FBI advisory guidance discouraging payment. Payment to a designated actor triggers strict liability under OFAC regardless of knowledge.

US persons vs. non-US persons: OFAC's primary jurisdiction covers US persons — US citizens, permanent residents, entities organized under US law, and persons physically located in the United States. Non-US entities with no US nexus are generally outside OFAC's direct reach, though secondary sanctions risk exists for foreign financial institutions facilitating transactions with sanctioned actors.

Direct payment vs. facilitated payment: Cyber insurance carriers, incident response firms, and cryptocurrency exchanges that process or facilitate ransom payments on behalf of victims can themselves incur OFAC liability as the facilitating entity. OFAC's 2021 advisory explicitly names insurance companies, financial institutions, and digital forensics and incident response (DFIR) firms as entities with obligations to screen counterparties before processing payments.

Full blocking vs. sanctions risk: Some actors appear on the SDN List with "CYBER2" or "DPRK3" tags, indicating the specific executive order authority. Others may be entities that are 50 percent or more owned by a designated person — these indirect connections do not require a separate SDN provider to trigger liability under OFAC's 50 Percent Rule.

Tradeoffs and tensions

The sanctions framework creates a documented conflict between two legitimate interests: regulatory compliance and operational survival.

Organizations facing ransomware that encrypts critical infrastructure — hospital patient records, utility control systems, emergency services dispatch — confront a situation where non-payment may produce immediate harm to third parties. OFAC's framework does not contain a general necessity exception, though it does permit license applications. The tension is structural: the license application process operates on a timeline incompatible with most ransomware incident response windows, during which threat actors typically impose payment deadlines of 72 hours to 7 days.

A second tension exists between federal agencies. The FBI's longstanding public guidance discourages ransom payment on the grounds that it funds criminal operations and incentivizes further attacks. OFAC's framework adds legal penalty risk on top of this policy discouragement. Meanwhile, CISA's operational guidance acknowledges that organizations may face scenarios where payment appears to be the only viable recovery option, and its #StopRansomware guidance focuses heavily on pre-incident resilience rather than providing clear post-incident payment guidance.

The cyber insurance industry sits at the intersection of all these pressures. Insurers that cover ransom payments must themselves screen for sanctions exposure before authorizing payment, and the Lloyd's Market Association Bulletin Y5258 (2021) flagged sanctions compliance as a material underwriting concern. Policies that include ransomware coverage without carve-outs for OFAC-prohibited payments expose carriers to regulatory enforcement.

Common misconceptions

Misconception: Paying ransomware through a cryptocurrency exchange eliminates OFAC risk.
OFAC's jurisdiction attaches to the underlying transaction, not the payment mechanism. Using a regulated exchange does not sanitize a payment that ultimately reaches a sanctioned wallet address. The exchange itself may also bear liability for processing the transaction.

Misconception: Only the organization that directly pays the ransom is at legal risk.
OFAC's 2021 advisory specifically identifies insurers, DFIR firms, and financial intermediaries as potential enforcement targets. Any entity that "facilitates" a prohibited payment — including advising on payment logistics — may be within scope.

Misconception: OFAC will not pursue enforcement against ransomware victims acting in good faith.
OFAC's civil enforcement framework does consider cooperation, self-disclosure, and remediation as mitigating factors, but these factors reduce penalty severity rather than eliminate liability. The OFAC Enforcement Guidelines published at 31 C.F.R. Part 501, Appendix A establish a base penalty matrix from which mitigating adjustments are made.

Misconception: A ransom payment to an unknown actor carries no sanctions risk.
The strict liability standard means that lack of knowledge of an actor's sanctioned status does not preclude a violation finding. Pre-payment screening against the SDN List is a recognized risk-reduction measure, but it does not guarantee that a non-verified wallet has no beneficial ownership connection to a designated entity.

Checklist or steps (non-advisory)

The following steps represent documented procedural elements organizations and their incident response partners have used when assessing sanctions exposure during a ransomware incident. This is a factual sequence drawn from OFAC guidance and published incident response frameworks — not legal advice.

Phase 1: Immediate identification
- [ ] Identify any indicators of actor attribution from ransom note, malware signature, cryptocurrency wallet address, or command-and-control infrastructure
- [ ] Cross-reference identified wallet addresses against OFAC's SDN List at https://sanctionssearch.ofac.treas.gov/
- [ ] Check attribution against FBI and CISA joint advisories and known designations for groups including Evil Corp, Lazarus Group, and Sandworm

Phase 2: Legal and compliance engagement
- [ ] Notify legal counsel with OFAC/sanctions expertise before any payment authorization
- [ ] Confirm whether cyber insurance policy includes ransomware coverage and whether the insurer has conducted SDN screening
- [ ] Document all steps taken to identify the threat actor, including timestamps and sources consulted

Phase 3: OFAC licensing assessment
- [ ] Determine whether a specific license from OFAC is legally required based on actor attribution
- [ ] Submit a specific license application to OFAC if payment is being considered and a sanctions nexus is identified — OFAC's Licensing Page outlines application procedures
- [ ] Notify the FBI's Internet Crime Complaint Center (IC3) at https://www.ic3.gov and CISA at https://www.cisa.gov/report

Phase 4: Post-incident reporting
- [ ] If a payment was made and subsequently identified as potentially reaching a sanctioned party, self-disclose to OFAC — voluntary self-disclosure is a significant mitigating factor under 31 C.F.R. Part 501, Appendix A
- [ ] File Suspicious Activity Report (SAR) with FinCEN if the organization is a covered financial institution under the Bank Secrecy Act
- [ ] Preserve all records related to the incident, payment, and compliance steps for a minimum of 5 years per OFAC recordkeeping requirements (31 C.F.R. § 501.601)

The how to use this ransomware resource page provides additional context on how this platform's content supports compliance and incident response research.

Reference table or matrix