P&N is now EisnerAmper

Effective May 21, 2023, P&N has joined EisnerAmper. Read the full announcement here.

Technology Services • Published 10/07/2020 Is It Illegal to Pay Ransomware?


Ransomware is a lucrative, growing business for cyber criminals. An estimated $25 billion will likely be paid in ransom demands during 2020, with a total global economic impact of nearly $170 billion. There now also appears to be the first known death related to a cyber-attack. Prosecutors believe that a German woman died because of the delay in treatment due to cyber criminals attacking, and ultimately compromising, a hospital’s IT infrastructure.

Exacerbating an already insurmountable problem is the realization that more attackers are inclined to publish the data they steal. Data is exfiltrated in approximately 25% of attacks, and that confidential or highly-sensitive data may ultimately be released to the public. For example, Maze ransomware group released data from LG Electronics and Xerox, and they most recently hit Fairfax County School system. The attackers hope the fear of data exposure will create more urgency and panic, thus aiding them in extorting money without delay or negotiation.

As long as ransomware attacks pay off, they will continue to evolve and become increasingly common.

More attackers are inclined to publish the data they steal.

Ending ransomware payments

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory to alert the public that the payment of ransom demanded by cyber criminals may be a violation of US law. The advisory details the risk of sanctions and possible civil penalties when paying or assisting in the payment of ransomware. Several malicious threat actors have been labeled under OFAC’s cyber sanctions, including architects of ransomware breaches and individuals that enable the financial transactions related to ransomware events.

OFAC’s reasoning is rooted in the assumption that ransomware payments could be leveraged by enemies of the United States to finance activities adverse to national interests and national security. Not only are direct payments from affected individuals considered a violation, but those who help facilitate payments may also be liable.

How far does the impact of OFAC’s statement reach?

The statement could have enormous impact on the cybersecurity industry as a whole. Firms that perform breach response could be held accountable if a payment is made to a ransomware group as part of response and remediation efforts, particularly if the payment was linked to an OFAC-sanctioned group. There could be an unwillingness within these firms to engage with organizations infected by ransomware, leading to prolonged recovery times and greater data loss. This compounds the understanding within the cybersecurity community that federal law enforcement will not engage if payments are made or recommended for ransomware of any kind.

The impact could extend beyond firms engaged in incident response and remediation. In fact, OFAC specifically encourages cyber insurance underwriters, consulting firms providing computer forensics and incident response, and banks/services that process the ransom payments to implement a risk-based approach to ensure compliance. The advisory also recommends that companies engaging with cyber criminals and making payments for victims should review legal requirements within the Financial Crimes Enforcement Network (FinCEN) regulations.

If the money ceases to flow, the ransomware attacks will become unprofitable and ultimately less-frequent.

Does it go far enough?

Many cybersecurity professionals believe that governments around the globe should implement a complete ban on ransomware payments. Ransomware exists for the sole purpose of extorting money. If the money ceases to flow, the ransomware attacks will become unprofitable and ultimately less-frequent.

Until we reach a point in time when ransom payments end altogether and attackers can no longer use ransomware as a money-generating tactic, organizations must continue to develop IT protection efforts: monitoring, detecting, and effectively responding to threats before ransomware can create a lose-lose situation: accept irreparable damage to your data and operations, or pay an illegal ransom to restore access.

A holistic cybersecurity plan might include steps such as implementing a zero trust model, hiring specialized IT staff, or engaging with an experienced cybersecurity partner for managed detection and response services.

Learn more

P&N Technology Services professionals work diligently to develop informative articles and webinars on a wide variety of topics. Join our cybersecurity contact list to stay updated on all P&N technology insights and webinars.

Sign up for P&N Cybersecurity Insights

Scroll to Top