Paying Ransom On a Ransomware Attack Is Illegal

By: Joshua Beitler

What would be your first reaction if your business got hit with a ransomware attack? Many business owners would jump to pay the ransom, as it seems like the quickest and most painless way to get operations back to normal.

However, it turns out that paying the ransom from a ransomware attack could be illegal.

That’s right, in a 2020 ruling the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in some (most) cases.

Hopefully, you haven’t had to endure the pain of a ransomware attack, or any cyberattack for that matter. If you have, then you know how frustrating, expensive and time consuming it is to get your business running again.

Ransomware has been on the rise since the COVID-19 pandemic. Bad actors know that people who work from home might not have the proper mindset, corporate security hardware and protections that most businesses have in place, thereby making them an easier target.

There are best practices and tools that can protect your end users and your business from a ransomware attack.

What Is Ransomware?

To put it simply, ransomware is a malicious computer program that encrypts all the files you rely on to do business. These files can be on your computer, your network and cloud shares, really anywhere you store the files you need on a day-to-day basis. Once encrypted, the program pops up a screen telling you to pay a ransom in bitcoin to get your files back. (If you were hit with an older variant of ransomware, it’s possible that someone has already created a reversal tool that can decrypt your files without paying the ransom, but half the time this option doesn’t work.)

If you have a reliable data backup/business continuity system, then you can restore your systems and files. But if you find yourself in a position where you cannot restore your files, your only option seems to be to bite the bullet, pay the ransom and hope that the attacker gives you the keys to decrypt the files. But let’s face it, if the attacker was dishonest enough to attack your system, are they really going to give you your files back?

Why Is Paying a Ransom Illegal?

Now that you know what ransomware is and how attackers make their money off it, it’s important to understand what the OFAC is saying about paying the ransom.

They say that by paying ransoms, you are enabling criminals to continue their attacks.

When one small business is successfully attacked, that can lead to bigger issues, as the OFAC explains, “Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.”

They also say that just because you pay the ransom, it doesn’t mean you’ll get your stolen data back. This is another important factor that went into OFAC’s decision of making paying ransoms for cyberattacks illegal.

Essentially, OFAC is saying that paying a ransom is funding cyber terrorism and possibly financially aiding other countries’ malicious efforts. But who is this statement referring to? Well, presumably anyone who is paying ransomware, but they are specifically calling out managed service providers, insurance companies and cyber forensics, telling them they may be prosecuted or fined for helping to arrange a payment.

It’s also important to know that you can be prosecuted even if you weren’t aware of your involvement with paying the ransom, as OFAC explains, “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

This makes it clear that paying ransom is viewed as funding cyber terrorism (or worse)!

What Should I Do If I’m the Victim of a Ransomware Attack?

The first thing you should do is contact your IT company immediately so they can start the remediation process. The data needed to accurately outline the details of the breach disappears quickly. You want to know how this happened so you can better protect your organization in the future. If you have good backups, you won’t lose much data. However, if you do not have solid backups and you cannot get those files back, you will want to partner with the FBI, OFAC and a cyber incident response company such as FireEye. If you have cyber insurance, you will need to file a claim immediately so they can also provide expert help and remediation.

How Can I Protect Myself From a Cyberattack?

Now that you understand the dangers of paying the ransom for a cyber attack, you’re probably wondering what you can do to prevent yourself from ever being in that situation. Thankfully, there are a few steps you can take to head off a cyberattack:

  1. Security awareness training: Your users are your first line of defense against attacks. Training them to recognize red flags and then doing follow up testing is key to ensuring users are not clicking links they shouldn’t be or letting attackers into their machines. Our Five-Minute Guide to Cyber Security helps employees learn to spot cyber threats and what to do about them.
  2. Robust next-gen endpoint protection: While these tools aren’t the cure, they are an essential line of defense. The latest versions of this software extend the perimeter of protection from your corporate offices to wherever your employees are working.
  3. Disaster recovery system: Having a reliable backup/business continuity system in place and tested is key. Keeping backups off site in the event your backup appliance is compromised will allow you to restore your files or keep your business running in the cloud.
  4. Perimeter protection: Make sure you have a firewall with advanced security that can block malicious links or files, or detect if an intrusion has happened and shut it down. The same goes for advanced email filtering; a lot of advanced filters will allow the system to detect phishing and block it.
  5. Cyber insurance: You might want to consider cyber insurance to help with the financial blow of a data breach, ransomware attack or other data disaster. Experts say that it’s not a matter of if you experience a cyber attack, but when. My blog post about cyber insurance will help you decide if it’s a good option for your business.

Putting in some time and effort now to ensure you have these best practices in place may save you some major headaches down the road.

Additional Resources

You might be interested in the following resources from Gross Mendelsohn:

Need Help?

Our Technology Solutions Group includes a team of cyber security experts. We’re happy to meet with you for a free cyber security assessment of your organization’s IT infrastructure. Or, you can contact us online or call 410.685.5512 with any questions.

Published August 26, 2021

Webinar Recording

Cyber Security Wake-Up Call: What’s Putting Your Organization At Risk?

Cyber Security Wake-Up Call Screen Play

Small Businesses — Be On the Lookout for These Cyber Threats

If you think you’re immune to cyberattacks as a smaller-sized business, you’re wrong. Attackers don’t just pass small...

Threats and Vulnerabilities to Monitor This Cyber Security Awareness Month

Have you ever received an email from an unfamiliar source and wondered, “How did they know that information?” or “How...