UK Government Issues Ransomware and Financial Sanctions Guidance

On February 9, the UK Office of Financial Sanctions Implementation (OFSI) issued new public guidance on ransomware and financial sanctions. The report reminds firms that making ransomware payments to designated entities is prohibited and that breaching financial sanctions is “a serious criminal offense”.  

Our 2023 global compliance report explored how ransomware increased in scale and variety through 2022, with the UK having the highest number of cybercrime victims per million internet users – up 40 percent from 2020 figures. As a result, the National Crime Agency (NCA) is now calling ransomware a “tier one national security threat”. 

OFSI guidance

OFSI’s guidance speaks to this rising threat, highlighting the impact of ransomware payments, sectoral sanctions risks, and the UK’s cyber sanctions legislations following the country’s exit from the European Union. 

Additionally, the report highlights guidance from the National Cyber Security Centre (NCSC) on cyber resilience measures that significantly reduce the risk and impact of a successful ransomware attack. These measures include: 

• Risk-based due diligence – Each organization should assess its exposure and implement due diligence measures to manage any identified or anticipated risks of breaching financial sanctions
• Timely reporting – Following a ransomware attack, firms should use the Where to Report a Cyber Incident portal to be directed to the correct organizations to which to report the incident
• Cooperation with law enforcement – Firms that suspect a ransomware payment has been made to a designated person should report the incident to OFSI as soon as practicable

Commenting, NCSC CEO Lindy Cameron said, “It is vital organizations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defenses in place to protect their networks.”

Crackdown on international cybercrime

On the same day that OFSI’s guidance was published, the NCA announced the designation of seven Russian cybercriminals with links to the ransomware group behind some of the most damaging attacks on the UK in recent years. According to the NCA, the group is responsible for extorting at least £27 million from over 100 UK victims, including schools, hospitals, and local authorities.

The sanctions are the result of a collaboration between OFSI and the US Treasury Department’s Office of Foreign Assets Control (OFAC) to tackle international cybercrime. Described as an “enhanced partnership”, OFSI and OFAC released a joint statement in October 2022 announcing their coordinated efforts to mitigate cyber threats and the misuse of virtual assets. Specifically, the partnership will see the agencies:

• Think creatively about sanctions challenges
• Align sanctions implementation
• Strengthen their working relationships and exchange best practices
• Better support sanctions compliance through jointly issued guidance and products

Key takeaways

Managing the risk of ransomware is becoming increasingly complex. Compliance teams must boost their cyber defenses and practice good cyber hygiene. Digital-native firms not operating Bug Bounty programs – incentive-based programs designed to stress test platforms for potential flaws – should also consider implementing them, alongside frequently-scheduled pen testing exercises.

Compliance staff wanting to increase their understanding of ransomware tactics used by threat actors should review the LockBit and Royal Mail negotiation, which was leaked following the postal company refusing to pay £66 million after its January cyberattack.

For further advice on minimizing potential harm from ransomware attacks, smaller organizations should refer to the NCSC’s Small Business Guide.