Ransomware or cyber-attack payments could be in violation of U.S. Office of Foreign Asset Controls (“OFAC”) sanctions if the recipient of the funds is prohibited from being involved, directly or indirectly, in a financial transaction. OFAC has issued an updated export compliance advisory regarding dealing with ransomware and cyber-attack demands and what steps would be considered mitigating factors with any enforcement or penalty action.
