A Government Insider on Navigating the New Guidance for Ransomware Payments

When attorney David Cohen was serving in the Treasury Department in the Obama administration—where he was known as the White House's “financial Batman”—ransomware payments were hardly on the government’s radar, he said. In recent years, however, the ransomware threat has rapidly expanded, crippling countless schools, hospitals, municipalities, and businesses on a daily basis.

Although the payments—typically made in Bitcoin or other cryptocurrencies—can be difficult to track, top law enforcement officials say that they often end up in the hands of hackers in North Korea, Russia, and Iran. In October, the Treasury Department’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) attracted widespread attention from cybersecurity professionals when they issued a pair of ransomware advisories warning of potential sanctions risks for making and facilitating payments to designated entities. 

Before he served as the CIA’s second-in-command from 2015-2017, Cohen held the position of Under Secretary for Terrorism and Financial Intelligence at the Treasury Department, where he directly supervized OFAC and FinCEN.

Cohen, who is now a partner at the law firm WilmerHale, talked to The Record about the latest ransomware trends, what the OFAC and FinCEN guidance means for businesses, and how he landed a cameo on the television series Game of Thrones. The below conversation has been lightly edited for space and clarity.

The Record: In the last few weeks there have been a string of ransomware attacks on hospitals across the U.S.—do you think these threats are going to continue and do you think that they’re financially motivated, or is there something more sinister happening?

David Cohen: I think clearly there has been an increase in both the number of ransomware attacks and also the total amount of ransoms that have been extorted. And I think it is almost entirely economically motivated. I think there is an aspect of some attacks that are politically motivated, and there’s certainly concerns about the potential for attacks with political motivations, but the vast majority of the ransomware attacks that we have seen are just another form of extortion—of a way to raise funds and to target vulnerable organizations that have the means to make payments.

TR: When you say targets that have a means to make payments, the most alarming headlines have been about attacks on hospitals, schools, and municipalities. Do you think those organizations are most likely to pay, or do they just get the most coverage because those attacks are so visible?

DC: I think they get the most coverage because they are the public institutions. They have a comparative lack of cybersecurity. If you are going to compare a local municipality to a major financial institution, I think it’s likely that the local municipality has less sophisticated, less robust cybersecurity protections. When it comes to the capacity to pay, many municipalities are obviously financially strained, they are not excessively well-resourced entities. But that being said, they do have access to funds and municipalities and hospitals have made payments in order to get their systems up and running again. At the same time, there are obviously many other victims of ransomware extortion schemes that you do not hear about because they are not public entities and they are not disclosing the fact that they are the victim of a ransomware attack. 

TR: I’ve seen some statistics that suggest that the amount being ransomed on average is doubling every six months. What is going to be the end of this? Is there any light at the end of the tunnel? 

DC: I don’t know for sure, but I thought it was interesting that the advisories that came out in the beginning of October from [the Treasury Department’s] FinCEN and OFAC were both focused quite deliberately on the facilitators of ransom payments. There had been guidance issued particularly from the FBI speaking to potential victims and offering advice on what to do if you are the victim of a ransom or extortion scheme, and the OFAC guidance and the FinCEN guidance make a nod towards the victims but then spend a fair amount of time talking about the other entities in the ransomware ecosystem—not the extorters and not the victims, but the entities that help to facilitate, help to investigate, respond and make the payments. And in both of the advisories there was a warning being sent to the facilitators that in doing that work, they themselves may be getting crosswise with either OFAC or with FinCEN. And so, to answer your question: How does this end? I think it is unclear how this ends, it is unclear when this ends, but I think that these two advisories are an indication of how at least the Treasury Department is trying to tamp down this increased pace and severity of ransomware attacks. 

TR: I noticed that too with the advisories and thought maybe the Treasury sees this developing ecosystem as something that would incentivize the payment of ransoms, which then incentivizes ransomware operators to increase their attacks. Is that how you see it?

"I think that these advisories are a way of trying to put sand in the gears of the ecosystem that is developing around the payment of ransoms, to try to prevent this ecosystem from developing further and prevent entities from becoming the victim of these extortion schemes."

—David Cohen, partner at WilmerHale and former Under Secretary for Terrorism and Financial Intelligence at the Treasury Department.

DC: I think that is entirely possible. To take a big step back, the U.S. government for many years now has had a policy, a strict policy, that it will not pay ransoms. So if a person is taken hostage, the U.S government may negotiate, but it will not pay ransoms to hostage takers or to others who are demanding a policy change in exchange for the hostage’s release. The reason the U.S. government adopted that policy many years ago was to essentially protect against the development of an ecosystem where the U.S. government is extorted for ransom payments. Now, it does not mean that no one ever gets taken hostage because of that policy. Obviously, there are horrible examples of people who are taken hostage with ransoms being demanded, but the government's position has been—and I think there is some evidence to support this—that a firm policy against paying ransoms in the long run and in the aggregate means that there are fewer people taken hostage and fewer extortion demands made against the U.S. government. So, that is the backdrop of U.S. policy. That policy obviously does not apply to private actors. As a general matter, there is no law against paying a ransom demands unless the recipient is a designated entity, so in the normal course, if you are the victim of an extortion scheme, you can pay the extorter without, generally speaking, incurring any legal liability. 

But I think that these advisories are a way of trying to put sand in the gears of the ecosystem that is developing around the payment of ransoms, to try to prevent this ecosystem from developing further and prevent entities from becoming the victim of these extortion schemes. 

TR: I know it’s been several years since you served at the Treasury Department—you left in 2015. But was ransomware on the radar when you were there, or has this whole phenomenon kind of popped up in the last few years? 

DC: It was not a particularly significant issue when I was there. I know that there were some ransomware attacks, but it was not a huge issue as I recall. 

TR: And I assume that what has made it a bigger issue is not only the size of the ransoms but also evidence that some nation states and state-sponsored groups have engaged in it, is that right? 

DC: Right. I think it is the size of the payments, the number of entities that have been targeted, and the nature of the entities that have been targeted. The WannaCry attack in 2017 was the first ransomware attack that really caught the public's attention because the attack disrupted the operations of hospitals. The impact of that ransomware attack was felt more broadly and understood more broadly. There have also been a number of attacks on municipalities in the U.S., like Baltimore, which obviously also attracts attention. 

TR: With these kinds of attacks, I’ve heard people argue that the government should treat incidents targeting hospitals as if they are terrorism attacks. It’s obviously hard to categorize it as terrorism without political motivations, but do you think that the government needs to treat these attacks differently than how they treat ransomware attacks against other organizations?

DC: Well, I think we should take attacks on critical infrastructure and other critical components of our society, including hospitals, very seriously. It does not mean that you need to label it terrorism—I think we should reserve that label for what is truly terrorism—but that does not mean that you cannot increase the degree to which the government is focusing its resources and making efforts to combat the societal ill. As ransomware attacks become more prevalent and target public health or financial institutions, it is entirely natural and appropriate that governments will respond to that with greater efforts to address the problem.

TR: When it comes to the guidance, do you see it as a first step? Are you expecting more to come out of the Treasury, and what might that look like if so? 

DC: I wouldn’t be surprised if at some point you get additional guidance from FinCEN and OFAC, although I would not expect it anytime soon. These were obviously coordinated advisories that took a fair amount of work from the two agencies. So, I would expect that these advisories would be the operative advisories for some time to come. Neither particularly break new ground, I think with the exception of what I mentioned earlier, which was making very clear in both advisories that the facilitators of ransom payments in ransomware attacks have to pay attention to their obligations not to engage in transactions with designated parties, as well as to be attentive to whether they are engaging in money transmission which brings with it a requirement to follow anti-money laundering programs. The FinCEN advisory also reminds financial institutions to file suspicious activity reports if they are involved in the chain of payments that are related to a ransom payment for a ransomware attack. 

TR: Have they changed how you advise clients who are victims of ransomware? 

"[The Treasury Department] is trying to get better clarity on exactly how these payments are being made, how frequently they are being made and to where they are being made just to get greater information on what is happening in the ransomware ecosystem."

DC: I think what the advisories have done is emphasize a couple of different things that our clients need to be aware of. On the sanctions issues, the legal obligation is to not make a payment or to transact with or be involved in a transaction with a designated party or a person that is in a comprehensively sanctioned jurisdiction—a person who is in Iran or Syria or North Korea, for instance. There is a strict liability regime that says if you are engaged in that sort of transaction, you are at least theoretically subject to a civil penalty. OFAC has on top of that strict liability regime given guidance about when and how it enforces those regulations, and this ransomware guidance in particular says if you have in place a good sanctions compliance program and if you take reasonable steps to assure yourself that you are not making a payment or facilitating a payment to someone who is on the SDN list or who is in a sanctioned jurisdiction, they will take that into account in any potential enforcement action. If it turns out you were wrong and that you were in fact making a payment to someone who is on the SDN list or in a comprehensively sanctioned jurisdiction, what they have done essentially is apply their existing guidance on what a good sanctions compliance program should look like and the elements that should contain and the way it should be implemented to this specific context.

The other interesting thing in the OFAC guidance is that it addresses what are called ‘specific licenses’. In the OFAC context, if a particular transaction is not permitted because it involves a sanctioned person or jurisdiction, you can go to OFAC and seek what is called a ‘specific license’ to get permission to engage in that transaction. In the guidance, OFAC says that you can come and seek a ‘specific license’ but there is going to be a presumption of denial which is to say, “Do not expect that we are going to give you permission to make a payment to a designated entity or into a sanctioned jurisdiction because from our perspective that undermines U.S. national security and foreign policy objectives, which is to deny funding to people who are on the sanctions list or in these jurisdictions.” That is the whole reason that sanctions exist, to cut designated persons off from the financial system. The OFAC guidance does not say that it is impossible to get a specific license, but there is a presumption of denial of a request for a ‘specific license’... I thought that was an interesting, but not surprising, new feature about the OFAC guidance. 

In the FinCEN guidance, I think what was notable there were a couple of things. One was the emphasis that they put on financial institutions filing suspicious activity reports if they are anywhere in the payment flow. The FinCEN guidance very clearly says if you are part of this payment chain, you need to file a suspicious activity report and you should indicate in that suspicious activity report that this has to do with a ransomware payment. I think the idea there is that FinCEN is trying to get better clarity on exactly how these payments are being made, how frequently they are being made and to where they are being made just to get greater information on what is happening in the ransomware ecosystem. 

TR: So it can help them address the root cause in a way? 

DC: Exactly, yes. They will understand it better, and if you have a better understanding of what is going on you can then tailor your efforts to address those problems more effectively. 

TR: Right. And I might be getting a bit in the weeds here, but with these incidents it is not like you can email your attacker and say, “Hey, are you a designated entity?” So what does due diligence look like?

DC: It is a very good question because in the nature of these attacks, the attacker tries to hide its identity, right? And if you know who is extorting you, it is easier to get law enforcement to go and shut them down. So, what is particularly difficult about these ransomware attacks is that the identity of the attacker is very difficult to determine and that is why by and large the attackers demand payments in cryptocurrency. That makes it all the more difficult if you are the victim of an extortion scheme or one of the people who was trying to assist the victim to make the payments to be confident that the ultimate recipient of the payment is not on the sanctions list or is not in an embargoed jurisdiction because their identity is obscured and it is harder to figure that out.

I think what OFAC’s guidance is saying essentially, is you need to dig into that as best as you can and if you do not know or have reason to know that you are making a payment to a designated entity, we will certainly take that into account if it turns out that the ultimate recipient is a designated entity or someone in an embargoed jurisdiction, but we are expecting very significant due diligence to be undertaken. Ultimately, that is the most difficult question that companies face when they are the victim of a ransomware attack: Our systems are locked up, we have got this ransom demand, we can make the payments, but there is a risk in making this payment to an entity that is subject to sanctions. How do we address that risk? The truth is, there is no silver bullet; there is generally never a way to be certain that the recipient is not on the sanctions list because it is very hard to get perfect clarity into who the extorter is. But what we advise clients to do is to the greatest extent possible, try and figure out, or hire someone to try and figure out, who it is that is demanding the payment and that at least to some extent mitigates that risk. 

TR: The last ransomware question that I have is one that I am sure that you get asked all the time and you are probably sick of, but the question of whether to pay a ransom—what is your response when people ask, and has it changed as the ransomware threat evolves?

DC: There’s no simple answer to that question. We don’t advise clients to always pay, and we don’t advise clients to never pay. Context matters a great deal. It matters whether you have effective backups, it matters whether you think that if you make a payment you’ll actually get the relief you are looking for, and it matters obviously if you have some confidence that the extorting party is not on the sanctions list. It is interesting that the U.S. government guidance is also very much a sort of ‘maybe you should, maybe you should not’ guidance. The U.S. government says it does not encourage the payments of ransom, but if you do you should closely coordinate with law enforcement so that they can track what is going on and potentially assist in bringing whoever is involved in the extortion scheme to justice. We tend to advise clients not to seek law enforcement permission, because that won’t, generally speaking, be forthcoming. But they should certainly at least seriously consider informing law enforcement about what is happening and what they are planning to do. Also, clients who are in regulated industries may have some obligations to notify their regulators about a ransom demand, as well as whatever problems they may be experiencing due to the lock-up of their systems or the potential exfiltration of data and public disclosure. There are a lot of factors to take into account, and not one single approach will fit in every circumstance. 

"Ultimately, that is the most difficult question that companies face when they are the victim of a ransomware attack: Our systems are locked up, we have got this ransom demand, we can make the payments, but there is a risk in making this payment to an entity that is subject to sanctions. How do we address that risk? The truth is, there is no silver bullet."

TR: The last question I have is that I saw that you had a cameo role in Game of Thrones. What’s the story behind that?

DC: It was a family connection. My brother-in-law is a guy named David Benioff, who is one of the two creators of Game of Thrones. After I left government and was taking some time off, we were in Belfast, Ireland, and I persuaded him to let me do a little cameo. That’s how it came about. 

TR: That is awesome.

DC: Yeah, it was not because of my acting talent.