OFAC may impose civil penalties for sanctions violations, even if said person was unaware they were engaging with someone prohibited under the office’s sanction laws and regulations.
The goal for all listed parties supporting the targeted company is to act in good faith, provide notice to the authorities about the incident, and reasonably prove that the threat actor is not on the SDN List. All items that must be reviewed with timely due diligence.
To comply with OFAC, the parties supporting the ransomware engagement — including a breach response firm, data privacy attorney or breach coach, or other assigned investigative personnel — can aid in the assessing from where the specific ransomware variant originated.
This is done by reviewing the ransom note for contact information, the malware variant’s behavior, and reviewing past campaign’s tactics, techniques, and procedures (TTPs) that may correlate to an embargoed group.
The malware and attack pattern can be examined through reverse engineering to see if the binary code can be tied to any known threat groups or entities.
As an additional layer of due diligence, the use of decentralized, largely anonymized crypto market, crypto ledgers and sometimes specifically Bitcoin wallets, can also be checked with a blockchain analysis to find the culprit.
This data will be part of the OFAC check to ensure that no one on the SDN list receives any funds which may conflict with pre-established OFAC guidelines.