Technical Expertise

October 26, 2020   •   3 minute read

Is It Legal to Pay Ransom to Cybercriminals?

Ransomware is on the rise. The novel coronavirus (COVID-19) pandemic triggered a 72 percent spike in this insidious malware, according to a recent report in Security magazine. During an attack, cybercriminals typically gain and restrict access to a company’s data or system unless ransom is paid. This can effectively cripple normal business operations, so some pay to get back on track faster.

While succumbing to a hacker’s demands can seem like a convenient, if costly, way to resolve the situation, it may not be entirely legal. 

New Advisories Warn Against Facilitating Ransomware Payments 

On Oct. 1, 2020, the U.S. Department of the Treasury’s Office of Terrorism and Financial Intelligence announced two advisories to help businesses and individuals combat increasingly prevalent and sophisticated ransomware scams and attacks. The guidance also outlined potential implications, such as steep fines, for those making or assisting with such payments. 

The department’s Office of Foreign Assets Control (OFAC) issued a Ransomware Advisory warning that facilitators of ransomware payments to prohibited individuals may be held civilly liable.

“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” it reads. “Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

Its Financial Crimes Enforcement Network (FinCEN) also released an Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, providing details on associated trends, warning signs, and the roles of financial intermediaries in these transactions, among other important information. 

Both offices stress the need for companies and employees to remain vigilant in reporting such cybercrimes, which typically encrypt hacked data to extort ransom payments—with many schemes involving convertible virtual currency (CVC).   

The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) also generally prohibit American citizens and businesses from conducting financial transactions with blocked persons and organizations, including those on the OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List, and those under comprehensive international or regional embargoes. 

Violators may incur civil penalties regardless of whether they knew they were engaging in a transaction prohibited under these laws. Since you may not know if an attack originates from a teenager next door or a government-linked hacking operation from a sanctioned nation, paying ransom could be a gamble. 

How Should You Respond to a Ransomware Attack?

Enlisting a cybersecurity firm can help you identify and isolate the attack, verify your backups, and restore to the most recent backup without financially supporting cybercriminals

If a business suspects a ransomware attack involves a sanctions nexus, it should notify the OFAC. Victims should also contact the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection if the attack disrupts a U.S. financial institution’s ability to perform critical services. 

What You Need in an Effective Cybersecurity Program

A robust cybersecurity program can reduce the likelihood of a breach and minimize damage should cybercriminals gain access to your system. 

This requires three critical components:

  • Prevention

Prevention can stop attackers before they do untold damage. Techniques may include policy development, staff training, and access controls. While this should be the first step in any cybersecurity program, it isn’t 100 percent effective, because new threats emerge daily.

  • Detection

Detection enables you to spot breaches so that you can respond quickly and mitigate your risks. Without sufficient measures, threat actors could have unfettered access to your data for weeks or even months before you realize it. 

  • Response

When you detect a threat, you must act quickly to resolve it. The less information ransomware attackers gain access to, the less leverage they’ll have against you. Businesses should have established response procedures in place to contain incidents as efficiently as possible. 

Cybersafe Solutions provides multifaceted cybersecurity services that include prevention, detection, and response. Our Continuous Security Monitoring scans your endpoints around the clock to remediate threats before they become breaches, helping prevent you from being forced to choose between paying ransom and pausing operations to recover data. Contact us to shore up your defenses today.