Should You Pay a Ransom to Cybercriminals? My Take on the Legality Issue

Should you pay a ransom to cybercriminals? Is this action illegal? 

Before I answer that question, I will say that—legal or not—paying the bad guys is not normally a good idea. 

For starters, can we really trust them to keep their word? Who says they will decrypt your data once you meet the ransom?  

It also tells cybercriminals that your organization has the cash to pay up. 

But if those considerations weren’t enough, here’s our answer to the original question.  

Should you pay a ransom? 

CSO reports that “the US Treasury Department’s Office of Foreign Assets Control (OFAC) warned organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers.”  

If you want to see the Department’s official document for yourself, you’ll find it here.  

Citing national security, the advisory calls out third parties, such as “cyber insurance firms.” But it also has language that applies to the population at large, including small business owners:   

“U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).” 

So should you pay a ransom, and is this action illegal? CSO states, “The OFAC advisory doesn’t outright ban ransomware payments.” But it does appear that the advisory is tantamount to a prohibition.  

And here’s why. In one section, the Department writes… 

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” 

I know this is a lot of government-speak. But hang in here as I want to draw a real-life illustration.  

Let’s say that you make a ransomware payment to a cybercriminal whom you think lives in the U.S. But unbeknownst to you, this person resides in North Korea and is under an embargo. It makes no difference. You could be in trouble with OFAC.  

As you think about the implications for your own business, here are a few observations. 

1. Compliant risk mitigation is key.  

If your cybersecurity strategy allows for meeting a ransomware demand, it’s time to make a change. This advisory should inform which options are on the table in your incident response plan.  

Business owners, your IT company needs to help you think through how to address compromises without sacrificing compliance. 

2. This may affect the cyber insurance market.  

When it comes to cyber insurance, perhaps you’ve considered a policy to cover a ransomware payment. If so, realize that this advisory hasn’t gone unnoticed. While the Insurance Journal has an optimistic outlook, here’s what the CSO article has to say: 

“The Treasury Department’s advisory warns companies not to pay ransoms to sanctioned entities. The move complicates ransomware incident response and might encourage insurance carriers to drop ransomware coverage.”  

I can also see this advisory impacting cybersecurity vendors, too. For example, one of our vendors offers a solution that has a $1 million ransomware insurance policy.  

Only time will tell. 

3. Data backups are a must.   

Businesses should be certain they have robust data backups. Always!  

But the reality is that not all companies do, or they don’t know for sure. And if an organization has no copies to rely on, it might consider paying a ransomware demand. Cash becomes a crutch for sloppy cybersecurity. 

This advisory makes that practice even more undesirable than it already is.  

4. It’s one more reason to proactively spot The Silent Bad Actor.  

While data backups are a best practice, I wish they were the resort of last measure in the small business community.  

You don’t want to reach the point where you’re dealing with a full-blown ransomware attack. Given the phenomenon of the ransomware data breach, it’s better to have a cybersecurity approach that spots The Silent Bad Actor early on. 

Does your risk mitigation plan reflect the times we live in?  

Do you know how to protect your organization from cybercriminals—compliantly?  

If you need help, call 704-464-3075, and ask for Steve. Or write us at info@weareproactive.com.