Module 1P — Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges

Non-Lawyers Summary

The U.S. government no longer just charges ransomware actors — it runs multi-agency "disruption operations" combining indictments, server seizures, cryptocurrency recovery, and sanctions designations. Most ransomware operators live in Russia, Belarus, or North Korea where extradition is impossible. So DOJ has developed a toolkit that imposes costs short of a courtroom: freeze wallets, expose identities, publish stolen negotiation logs, and release decryption keys to victims. When someone does get extradited — typically a lower-level affiliate or money launderer — they face CFAA charges (unauthorized access) plus federal money laundering statutes that carry decades of exposure. If you work in incident response, threat intelligence, or security research, this module maps who got charged, on what theory, why some people walk free, and where ransomware victims themselves can become OFAC defendants.

What This Module Answers Fast

Overview

In May 2021, a single ransomware group shut down a critical American fuel pipeline and triggered gas shortages across the southeastern United States. The President of the United States held a press briefing. The FBI recovered millions in Bitcoin from a digital wallet. No one was arrested in the U.S. The perpetrators remained in Russia.

This is the ransomware prosecution paradox: the most devastating cybercrime category of the modern era, and the most difficult to prosecute through traditional means. Ransomware prosecution sits at the intersection of three federal frameworks — computer fraud (18 U.S.C. § 1030), money laundering (18 U.S.C. §§ 1956–1957), and civil/criminal forfeiture (21 U.S.C. § 853, 18 U.S.C. § 981). The complication is geopolitical: most ransomware operators are Russian nationals operating from jurisdictions that do not extradite to the United States.

DOJ's response has been to build a disruption model where prosecution is only one tool in a broader pressure campaign. The disruption model has five components:

1. Criminal indictment — creates a sealed or public charging document, triggers Interpol Red Notice, bars international travel.
2. OFAC sanctions designation — adds actor to the Specially Designated Nationals (SDN) list; any U.S. person transacting with them — including paying ransom — faces civil or criminal penalty.
3. Server seizure / infrastructure takedown — executed via mutual legal assistance treaties (MLATs) or unilateral action against servers in cooperative jurisdictions; disrupts operations immediately.
4. Cryptocurrency seizure — DOJ and FBI use court orders under 21 U.S.C. § 853 to seize wallets; requires obtaining private key or working with exchanges.
5. Decryption key release — after seizing infrastructure, FBI often extracts decryption keys and distributes them to victims via CISA/IC3, reducing ransom payment incentive.

Not all operations end in trial. Many end in indictment-plus-sanction with the defendant permanently stranded in Russia. The goal is to make ransomware operations economically and operationally costly even without a conviction.

Start Here If Your Issue Is...

Issue Map

flowchart TD
    A[Ransomware Attack Occurs] --> B{Victim Pays?}
    B -->|Yes| C{Group Sanctioned by OFAC?}
    B -->|No| D[Report to FBI/CISA/IC3]
    C -->|Yes| E[Victim = Potential OFAC Defendant\nUp to $1M civil penalty per transaction\nCriminal if willful]
    C -->|No| F[Payment logged, may aid investigation\nEncourage voluntary disclosure to OFAC]
    D --> G{FBI Gains Infrastructure Access?}
    G -->|Yes| H[Decryption Keys Released\nWallets Seized - 21 U.S.C. 853\nServers Taken Down]
    G -->|No| I[Joint Advisory Issued\nIndictments Filed\nOFAC Designation]
    H --> J{Operator Reachable?}
    I --> J
    J -->|Extraditable Jurisdiction| K[Arrest, Extradition, Trial\nCFAA + Money Laundering\nForfeiture]
    J -->|Russia / DPRK / Iran| L[Indictment + Red Notice\nSDN Designation\nPublic Naming / Unmasking]
    K --> M[Sentencing\nEx: Vasinskyi 13yr 7mo\nEx: Alla Witte 32 months]
    L --> N[Operational Disruption\nTravel Restrictions\nFinancial Isolation]

Timeline Overview

timeline
    title Ransomware Disruption Operations — Key Events
    2020 : OFAC ransomware payment advisory issued (Oct)
         : Evil Corp sanctioned — Maksim Yakubets SDN listed
    2021 : Colonial Pipeline attack — DarkSide, $4.4M paid (May)
         : FBI recovers $2.3M from DarkSide wallet (Jun)
         : JBS Foods attack — REvil, $11M paid (Jun)
         : Kaseya VSA attack — REvil, 1500+ downstream victims (Jul)
         : Vasinskyi and Polyanin indicted — REvil (Nov)
         : OFAC advisory updated — explicit victim liability warning (Sep)
    2022 : Alla Witte (Trickbot/Conti) extradited from Latvia
         : Conti source code + chats leaked by Ukrainian researcher (Feb)
         : DarkSide rebrands as BlackMatter, then dissolves
    2023 : Mikhail Matveev (Wazawaka) indicted — Conti/LockBit/Hive (May)
         : Alla Witte pleads guilty — sentenced 32 months (Nov)
         : FBI seizes ALPHV/BlackCat infrastructure, releases decryption keys (Dec)
    2024 : Vasinskyi sentenced — 13 years 7 months + $16M restitution (Jan)
         : Change Healthcare attack — ALPHV affiliate, $22M ransom (Feb)
         : Operation Cronos — LockBit infrastructure seized, Khoroshev unmasked (Feb)
         : Artur Sungatov and Ivan Kondratyev indicted — LockBit U.S. charges (Feb)

Key Facts

Primary Statutes

Why Most Defendants Never Face Trial

• Core ransomware operators are predominantly Russian nationals; Russia does not extradite its citizens (Article 61 of Russian Constitution).
• Arrests happen when operators travel to third countries with U.S. extradition treaties (Poland, Netherlands, Switzerland, etc.).
• Lower-tier affiliates and money launderers are more mobile and more frequently caught.

Cryptocurrency Forfeiture Mechanics

• DOJ does not need to "hack" a wallet. Methods include: obtaining private keys from seized infrastructure; working with exchanges under subpoena; and in some cases working with blockchain analytics firms (Chainalysis, Elliptic) to trace flows to regulated exchanges where KYC creates actionable identity.
• Civil forfeiture (§ 981) requires only probable cause — a lower bar than criminal conviction.

The DOJ Ransomware Disruption Model — When You Can't Arrest Anyone, Change What "Win" Means

Just before the 2021 Colonial Pipeline attack, ransomware was viewed by many in Washington as a law enforcement problem. After it, the Deputy Attorney General created the Ransomware and Digital Extortion Task Force (RDETF), directing it to "prioritize and accelerate disruption, investigation, and prosecution."

The word that mattered was "disruption." Not "prosecution."

DOJ's shift to disruption operations reflects an operational reality: fewer than 10% of ransomware indictments result in an in-custody defendant. The 2021 ransomware surge forced a strategic pivot. The disruption model treats indictment as a pressure tool rather than a conviction pipeline:

• Indictment without arrest freezes assets, triggers Interpol Red Notices, and isolates the defendant from the international financial system via correspondent banking.
• Public naming removes operational pseudonymity — operators who leak or brag are easier to track.
• Infrastructure seizure forces groups to rebuild C2, payment sites, and leak blogs — each rebuild creates new attribution opportunities.
• Decryption key distribution undercuts the economic model: if victims can decrypt for free, ransom payments fall.
• OFAC designation extends pressure to the group's ecosystem — cryptocurrency exchanges, money mules, and victims who pay become potential enforcement targets.

The model's weakness is that a sophisticated group operating entirely within Russia can rebuild after disruption. Operations against ALPHV/BlackCat and LockBit demonstrated this: both groups reconstituted or splintered within weeks of major seizures.

The RaaS Legal Model — Who Gets Charged, and For What

Ransomware-as-a-Service structures criminal liability across four tiers. Understanding where you sit in this structure — or where your client sits — is the first step to understanding exposure.

Tier 1: Core Developers
  - Write the ransomware payload, cryptographic routines, and C2 infrastructure
  - License it to affiliates, typically taking 20-30% of ransom proceeds
  - Charged under: § 1030(a)(5) (damage), § 1956 (money laundering)
  - Exposure: highest — they created the tool used in every attack
  - Practical risk: often the most protected; live in non-extraditing jurisdictions

Tier 2: Affiliates
  - License the RaaS kit; conduct actual intrusions; deploy ransomware
  - Negotiate with victims; manage ransom payments
  - Charged under: § 1030(a)(5), § 1030(a)(7), § 1956, § 2 (aiding and abetting developers)
  - Key doctrine: you don't write the malware to face charges — you deploy it
  - Practical risk: highest arrest risk — more mobile, more international contacts

Tier 3: Money Mules / Launderers
  - Convert cryptocurrency ransom to fiat; move funds through layered transactions
  - Often operate in Eastern Europe with easier travel patterns
  - Charged under: § 1956, § 1957
  - Practical risk: very high — banks file SARs; blockchain analytics firms track flows
  - Case example: Alla Witte (Trickbot/Conti) — developer who also laundered; 32 months

Tier 4: Victims
  - Normally not liable — CFAA provides no criminal hook for victims
  - OFAC exposure: if they pay ransom to a sanctioned group, they become potential OFAC defendants
  - Civil penalty: up to $1M per transaction (strict liability — no intent required)
  - Criminal penalty: requires knowing or willful violation

Affiliate Liability Doctrine (the Vasinskyi Holding)

The REvil prosecution established clearly that affiliate liability is real. Vasinskyi did not write REvil. He licensed it, used it to attack Kaseya and hundreds of other victims, and collected ransom. His charges were: conspiracy to commit fraud and related activity in connection with computers (§ 1030), conspiracy to commit money laundering (§ 1956), and intentional damage to protected computers. He was sentenced to 13 years 7 months. The "I only deployed it, I didn't build it" defense has no legal traction under § 2 aiding and abetting and conspiracy doctrine.

The Exit Scam Wrinkle

The Change Healthcare incident shows a further RaaS complication: an ALPHV affiliate received $22M ransom from UnitedHealth Group in February 2024, then exit-scammed BlackCat itself — walking off with the full payment without sharing the developer's cut. The affiliate's legal exposure is unchanged (they still deployed ransomware), but the fragmentation of the criminal enterprise creates investigative complications. DOJ tracks funds, not internal agreements.

REvil / Sodinokibi — Kaseya + JBS (2021–2024) — "1,500 Companies. One Zero-Day. One Arrest."

Without Warning, the Supply Chain Broke

July 4th weekend, 2021. Small businesses across the world — managed service providers, their clients, and their clients' clients — woke up to locked screens and ransom notes. The source: Kaseya VSA, IT management software used by thousands of MSPs. REvil had found a zero-day in the product itself, and one exploit had encrypted the networks of more than 1,500 downstream companies simultaneously.

The demand: $70 million. The largest ransomware demand ever made at the time.

A month earlier, REvil had forced JBS Foods — the world's largest meat processor — to pay $11 million in Bitcoin after an attack that briefly threatened the U.S. beef supply. The FBI attributed that attack to REvil as well.

But the Kaseya key was eventually obtained and provided to victims. Circumstances never officially disclosed. Then, in August 2021, Yaroslav Vasinskyi crossed the Polish border.

Yaroslav Vasinskyi (alias: Rabotnik) — Affiliate

• Role: affiliate — deployed REvil against Kaseya and approximately 2,500 other victims
• Arrest: August 2021 in Poland upon entry
• Extradited: March 2022 to Northern District of Texas
• Charges: 11 counts — conspiracy to commit fraud, CFAA damage charges, money laundering conspiracy
• Plea: Guilty
• Sentence: January 2024 — 13 years 7 months imprisonment + $16 million restitution + over $13.1M in proceeds forfeited
• Significance: First major REvil conviction; proves affiliate exposure under § 2

Yevgeniy Polyanin (Russian national, deployed REvil against Texas local governments) remains indicted but at large in Russia. DOJ seized $6.1 million traceable to his ransom payments — financial pressure imposed without requiring the defendant in a courtroom.

The Legal Doctrine This Case Settled

Under the indictment theory, Vasinskyi is liable for all losses caused by REvil deployments he personally conducted plus all foreseeable co-conspirator conduct. The money laundering charges (§ 1956) attach because ransom payments are proceeds of a "specified unlawful activity" (CFAA violations), and converting or transmitting them knowing their criminal origin satisfies the statute. The $70M demand against Kaseya victims was charged under § 1030(a)(7) — the extortion provision — which criminalizes threats to damage computers in order to obtain something of value.

DarkSide / Colonial Pipeline (2021) — "The Shutdown That Changed Everything — and the Bitcoin the FBI Took Back"

May 7, 2021

A ransomware group called DarkSide attacked Colonial Pipeline. Colonial shut down its pipeline operations as a precautionary measure — not because operational technology was directly encrypted, but because billing and business IT systems were compromised and the company could not confirm the scope.

The shutdown caused gasoline shortages across the southeastern United States. Lines at gas stations. States of emergency. A White House press briefing.

Colonial paid $4.4 million in Bitcoin to DarkSide on approximately May 8, 2021.

Then the FBI Did Something No One Expected

On June 7, 2021, thirty days after the attack, DOJ announced recovery of $2.3 million — approximately 63.7 Bitcoin, representing most of the ransom paid.

The FBI possessed the private key to DarkSide's designated ransom collection wallet. How they obtained it: not officially disclosed. The likely options include access to DarkSide's infrastructure via server seizure in a cooperative jurisdiction, or cooperation from an insider.

The legal authority: 21 U.S.C. § 853 (criminal forfeiture) and 18 U.S.C. § 981 (civil forfeiture). The affidavit established the wallet contained proceeds traceable to the Colonial extortion. The government obtained a court order from the Northern District of California. They swept the wallet.

The recovery demolished the assumption that paying in Bitcoin meant the money was gone. Bitcoin is pseudonymous, not anonymous. Blockchain analytics and control of endpoint infrastructure can de-anonymize flows and enable seizure.

No U.S. Convictions

DarkSide disbanded following the Colonial attack and the attention it generated. The group reportedly reconstituted as "BlackMatter" before dissolving again. This demonstrates the "whack-a-mole" problem: disruption does not permanently remove threat actors. It removes the current infrastructure and may expose some participants, but the core technical capability survives.

Key Legal Doctrine: The government does not need to convict anyone to seize ransomware proceeds. Civil forfeiture under § 981 requires only probable cause to believe the property is traceable to criminal activity. The lower burden of proof makes asset recovery feasible even when defendants are beyond reach.

Conti Group (2021–2023) — "The Ransomware Empire with an HR Department"

Scale

Conti was one of the most prolific ransomware groups in history. DOJ attributes 400+ attacks and over $150 million in ransom collected to Conti-affiliated operations before the group fragmented in 2022. Notable attacks include the Irish Health Service Executive (HSE) attack in May 2021 — one of the most damaging ransomware attacks against a national healthcare system, causing months of disruption to patient care across Ireland.

The Leak That Changed Everything

In February 2022, following Russia's invasion of Ukraine, an anonymous Ukrainian security researcher did what law enforcement couldn't: they leaked the entire internal communication system of one of the world's most dangerous criminal organizations.

Approximately 60,000 internal Conti chat messages — the "Conti Leaks" — plus Conti's source code. The revelations: Conti operated with corporate-level organizational discipline. HR processes. Salary negotiations. Technical team hierarchy. Internal debates about the REvil arrests and what they meant for operational security. Wallet addresses. Affiliate agreements. Negotiation scripts. Identification information for several members.

The leaks did not result in immediate arrests. But they provided attribution intelligence that informed subsequent indictments and established that Conti was not a loose criminal collective — it was an enterprise.

Key Defendants

Mikhail Matveev (aliases: Wazawaka, Uhodiransomwar, m1x, Boriselcin), Russian national

• Role: alleged affiliate for Conti, LockBit, and Hive ransomware groups
• Indicted: May 2023, District of New Jersey and Eastern District of Michigan
• Charges: 18 U.S.C. §§ 1030 (CFAA), 1956 (money laundering conspiracy)
• OFAC action: Designated on SDN list simultaneously with indictment
• State Department reward: $10 million under the Transnational Organized Crime Rewards Program
• Status: At large in Russia. Has made public social media statements acknowledging the indictment.

Matveev has stated in interviews that he does not leave Russia. The $10M reward and SDN designation represent the outer limit of U.S. reach when extradition is unavailable. He appears to know exactly where the line is.

Alla Witte (alias: Max), Latvian national

• Role: Trickbot malware developer — wrote code for the ransomware module; involved in money laundering activities
• Arrest: June 2021 in Miami; extradited from Latvia
• Charges: 19 counts including conspiracy, CFAA violations, money laundering
• Plea: Guilty to conspiracy to commit computer fraud
• Sentence: November 2023 — 32 months federal imprisonment
• Significance: Developer-level exposure. Witte did not deploy ransomware against victims — she wrote components of the code.

This establishes that developing malware components, even without conducting attacks yourself, is sufficient for CFAA conspiracy charges plus money laundering exposure if you receive any share of proceeds. The "I just wrote the code" defense fails.

Legal Doctrine from Conti

Developer liability: Witte's conviction establishes that writing ransomware components — not just deploying them — creates CFAA conspiracy exposure under § 1030 read with § 371 (conspiracy) or directly under § 1030(b).

The reach of § 1956 into the development layer: Witte was charged with money laundering because she received proceeds (salary or share) from Trickbot/Conti operations. Any compensation traceable to ransomware proceeds, even compensation for technical development work, can be charged as money laundering if the defendant knew the source.

ALPHV / BlackCat — DOJ Disruption (December 2023) — "They Seized the Site. The Group Took It Back."

The Group That Rebuilt in Real Time

ALPHV/BlackCat emerged in 2021 as a successor to DarkSide/BlackMatter. It was notable for being written in Rust — unusual for malware, suggesting sophisticated development resources — and for operating a professional-grade negotiation interface for victims. It followed a triple-extortion model: encrypt data, threaten to publish stolen data, and threaten to notify regulators (HIPAA, SEC) about the breach.

On December 19, 2023, DOJ announced that the FBI had gained access to ALPHV's infrastructure and:

• Seized the ALPHV leak site and payment portal
• Obtained decryption keys for approximately 500 victims and distributed them via the FBI
• Placed the seizure banner on the ALPHV Tor site

Then ALPHV did something unprecedented: the group unseized its own site — temporarily — demonstrating that seizure of a Tor hidden service does not permanently disable an operator who retains the underlying keys. ALPHV subsequently announced the closure of its affiliate program, then appeared to dissolve.

No ALPHV leadership has been indicted or arrested in the U.S. This is the clearest illustration of the disruption model's ceiling: a sophisticated operation can absorb a site seizure and reconstitute.

The Change Healthcare Attack (February 2024)

An ALPHV affiliate conducted a devastating attack on Change Healthcare, a UnitedHealth Group subsidiary that processes approximately one-third of U.S. medical claims. The attack disrupted pharmacy, insurance billing, and claims processing nationwide for weeks.

UnitedHealth Group paid approximately $22 million in ransom to ALPHV/BlackCat. What happened next: the ALPHV affiliate performed an exit scam — claimed the full payment without forwarding the developer's standard cut. ALPHV disbanded. The affiliate reportedly joined RansomHub with their tools and data.

Key legal analysis: The UnitedHealth payment was to ALPHV, which at that time was not an OFAC-designated entity. However, the SEC disclosure obligations under new cybersecurity rules (effective December 2023) required disclosure — an area still being tested in enforcement.

LockBit — NCA/FBI Operation Cronos (February 2024) — "The Unmasking"

The Most Prolific Ransomware Group in History

LockBit conducted attacks on:

• 2,000+ confirmed victims across 120+ countries
• Critical infrastructure including hospitals, schools, and government agencies
• Over $500 million in confirmed ransom payments over the operation's lifespan
• In the U.S. alone: Boeing, Royal Mail (UK), Ion Financial Markets, and hundreds of others

LockBit operated a formal affiliate portal with reputation scores, support teams, and a bug bounty program for finding flaws in its own malware. It was, by any honest accounting, a professional criminal enterprise.

February 19, 2024 — Operation Cronos

A coordinated operation by the UK's National Crime Agency (NCA), FBI, Europol, and law enforcement from 10 additional countries:

• Seized LockBit's primary leak site, affiliate panel, and ransom negotiation infrastructure
• Obtained source code, decryption keys (provided to victims via NCA/CISA), and affiliate data
• Published NCA's seizure banners containing LockBit's own internal data — including negotiation chat logs between LockBit and victims, presented as a deterrence and humiliation tactic
• Unmasked LockBitSupp — the administrator who had maintained a pseudonymous identity for five years — as Dmitry Yuryevich Khoroshev, a Russian national from Voronezh
• OFAC designated Khoroshev; State Department offered $10 million reward for information leading to his arrest or conviction
• UK and Australian governments imposed their own autonomous sanctions simultaneously

U.S. Indictments: Two LockBit affiliates indicted in the District of New Jersey — Artur Sungatov and Ivan Kondratyev (alias: Bassterlord) — both Russian nationals, both at large in Russia.

Prior indictments charged additional LockBit affiliates, including Mikhail Vasiliev (Canadian-Russian national, arrested in Canada) and Ruslan Magomedovich Astamirov (arrested in Arizona in 2023 — a rare in-custody arrest, apparently because Astamirov was present in the U.S.).

The Doctrine This Created

Unmasking as deterrence: Operation Cronos published Khoroshev's full identity, address, and passport photo. For a threat actor who maintained a pseudonymous identity for five years, deanonymization removes the operational security that enabled recruitment, payment, and affiliate trust. Affiliates are less willing to work with an operator who can no longer guarantee anonymity.

Affiliate data liability: When law enforcement seizes a ransomware affiliate panel, they obtain the complete operational database of every affiliate: their handles, attack histories, cryptocurrency wallet addresses, and cut percentages. This data directly feeds attribution efforts and potential charges for affiliates operating in reachable jurisdictions.

Credential Stuffing Prosecutions — "The Gray Zone Between CFAA and Ransomware"

Technical and Legal Distinction

Credential stuffing is legally distinct from ransomware but shares the same primary statute: 18 U.S.C. § 1030. The technique uses leaked username/password databases to automate login attempts against target services. From a legal standpoint, the question is whether using a valid credential (leaked from elsewhere) against a service you have no authorization to access constitutes "unauthorized access."

The post-Van Buren tension: Van Buren v. United States (2021) narrowed § 1030's "exceeds authorized access" prong. If someone has been given access to a system (i.e., they have a valid account), using that access for impermissible purposes may not be a § 1030 violation under Van Buren. But credential stuffing involves using another person's credentials to access an account the attacker was never authorized to access. Courts have not definitively resolved whether credential stuffing falls under § 1030(a)(2) "unauthorized access" or § 1030(a)(6) "trafficking in passwords," but most practitioners treat it as clearly within § 1030(a)(2).

Key Cases

United States v. George Waller (2020, D.D.C.): Waller conducted automated login attacks against Dunkin' Donuts customer accounts using credential databases purchased on dark web forums. Charged under § 1030(a)(2) (unauthorized access to obtain information). Sentenced to 18 months probation and restitution.

FTC Enforcement (Non-Criminal):

• Drizly (2022): FTC entered consent order following a data breach enabled in part by inadequate authentication controls that allowed credential stuffing. Not criminal — administrative enforcement requiring security improvements and restricted data practices.
• 1-800-Flowers: FTC action after breach enabled by weak authentication.

The FTC route is civil/administrative; the DOJ route is criminal. Both are available. Companies with inadequate authentication controls face regulatory exposure; actors conducting the stuffing face criminal exposure.

Van Buren's Unresolved Tension

Van Buren's "gates up/gates down" framework creates ambiguity at the edges. A credential stuffing attacker using someone else's valid credentials arguably "bypassed" no gate — the gate accepted the credential. But the better reading, and DOJ's operational theory, is that § 1030(a)(2) covers access by someone with no authorization — the gate's response to a stolen key does not make the entry authorized. No circuit court has definitively ruled post-Van Buren, but prosecution risk for credential stuffing remains high.

OFAC Ransomware Payment Liability — "The Victim Who Became the Defendant"

The Shock Doctrine

Most executives who authorize ransomware payments believe they are victims. OFAC's advisory framework introduces a revelation that lands like a revelation: you can be both.

OFAC issued its first ransomware-specific advisory in October 2020, updated September 2021. The core holding: paying ransom to a sanctioned entity violates the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) regardless of whether the payer is a victim. Ignorance of the entity's sanctioned status is not a complete defense — OFAC applies strict liability for civil violations.

Designated Ransomware-Linked Entities

The CNA Financial Case — The Payment That Wasn't Prosecuted

In March 2021, CNA Financial, one of the largest U.S. commercial insurers, reportedly paid $40 million in ransom to a group using Phoenix CryptoLocker — a tool associated with Evil Corp, which was OFAC-sanctioned since December 2019. If the payment was to Evil Corp or a closely aligned group, it would constitute a strict-liability OFAC violation.

As of the knowledge cutoff, no public OFAC enforcement action has been taken against CNA. This may reflect: voluntary disclosure by CNA (OFAC credit factor), uncertainty in the technical attribution, or enforcement discretion. The absence of public action should not be read as validation of the payment.

Penalty Structure

• Civil liability: Up to the greater of $1,078,017 per violation or twice the transaction value (adjusted per IEEPA penalty inflation)
• Criminal liability: Requires knowing or willful violation; up to $1 million per violation and 20 years imprisonment under IEEPA
• Mitigation factors OFAC considers: Whether the victim reported to law enforcement and OFAC promptly; whether the victim had a sanctions compliance program; whether the victim cooperated with FBI/CISA post-incident; whether the payment was made after consultation with OFAC

Practical IR Team Protocol

Before authorizing any ransom payment:

1. Screen the threat actor against current OFAC SDN list (sanctions.ofac.treas.gov)
2. Screen cryptocurrency wallet addresses against OFAC-designated addresses (regularly updated in SDN database)
3. Consider voluntary OFAC disclosure if payment to potentially affiliated entity
4. Report to FBI IC3 regardless of payment decision
5. Document all decision-making with legal counsel involvement

Practical Takeaways

For Incident Responders

• Report to FBI IC3 before paying. This creates a cooperation record that OFAC weighs heavily in enforcement decisions.
• Screen the ransomware group against OFAC SDN list before payment. Attribution is often available within hours of a sophisticated attack; threat intel firms maintain real-time group-to-sanction-status mappings.
• Cryptocurrency is not anonymous — do not advise clients that Bitcoin payment is untraceable. FBI has demonstrated wallet seizure capability multiple times.
• The decryption key may be obtainable without payment. Contact CISA/FBI before paying — operational disruption activities sometimes yield keys in advance of victims making contact.
• Document every decision for potential OFAC voluntary disclosure purposes.

For Threat Intelligence Analysts

• The Conti leaks are publicly available and remain one of the most detailed datasets on ransomware operational structure ever released. They are legitimate research material.
• OFAC SDN designations frequently lag group activity by 12–24 months. Current SDN status is necessary but not sufficient for payment risk assessment.
• LockBit's affiliate database, obtained in Operation Cronos, is now in law enforcement hands. Analysts tracking affiliate activity should note that some affiliates may face undisclosed sealed indictments.

For Security Researchers

• Credential stuffing remains prosecutable under § 1030(a)(2) even post-Van Buren. Do not conduct automated login testing against production systems without explicit authorization.
• Participating in ransomware simulation exercises or red team engagements targeting "test" environments requires written authorization covering CFAA § 1030 for each system in scope.
• Receiving decryption keys from ransomware groups during academic research creates potential money laundering adjacency if any consideration is exchanged. Consult counsel before engaging with active threat actors.

For Legal Counsel Advising Victims

• OFAC voluntary self-disclosure meaningfully reduces penalty risk; document the decision to disclose promptly.
• SEC cybersecurity incident disclosure rules (effective Dec 2023) require disclosure of material incidents within 4 business days; ransomware attacks affecting public companies are presumptively material.
• Cyber insurance policies increasingly exclude OFAC-covered payments or require insurer approval before payment.

What This Module Does Not Cover

• Civil litigation between ransomware victims and negligent third parties (covered in Module 1F)
• HIPAA enforcement actions following ransomware attacks on covered entities (covered in Module 1I)
• State-level computer crime statutes beyond federal § 1030 (covered in Module 1B)
• Diplomatic and foreign policy dimensions of ransomware (ODNI threat assessments, sanctions policy)
• Insurance coverage disputes — business interruption, cyber policy exclusions
• International mutual legal assistance treaty (MLAT) mechanics in detail
• North Korea (DPRK) Lazarus Group operations — cryptocurrency theft distinct from ransomware prosecution model
• Specific incident reporting obligations under CIRCIA (covered in Module 1H)

For Non-Technical Readers

Ransomware is software that locks your files or computer systems and demands payment — usually in cryptocurrency — to restore access. Criminal groups have organized these attacks the same way software companies organize product lines: some people write the software, some people use it to conduct attacks, and some people handle the money. The U.S. government now tries to disrupt all three layers at once.

When law enforcement "takes down" a ransomware group, it usually means they seized the group's websites and sometimes recovered stolen money — but the people running the operation are usually in Russia and can simply rebuild. The legal challenge is that Russia does not extradite its citizens to the U.S. So the government files charges anyway, freezes any money it can find, and publicly names the operators — hoping that other countries will arrest them if they travel, and that the publicity will deter potential affiliates from joining the group.

One thing that surprises many people: if your company pays a ransom to a group that the U.S. government has already sanctioned (put on a prohibited list), your company can be fined — even though you were the victim. This is why cybersecurity lawyers check the government's sanctions list before advising clients to pay. The law treats it like trading with a prohibited country: intent does not matter for the basic civil fine, only whether you paid the wrong person.