Ransomware continues its relentless rise.
The first half of this year saw a 151% increase over the first half of last in ransom demands, reports Threatpost. And this type of cyber attack is growing in complexity as well as frequency. More ransomware now uses double, triple, even quadruple extortion techniques.
As payouts climb—by mid-2021, the average payment had reached $570,000—and as ransomware’s consequences in sectors like health care and agriculture make dire headlines, more organizations are wondering, “Is it illegal to pay ransom?”
It’s an understandable question. No one wants to pay ransomware criminals and reward their malicious activity, but paying—and many cybercriminals know what targets can afford, or will negotiate their demand down—is the path of least resistance.
If handing over the money means unlocking encrypted files and ending a business interruption, doesn’t it sometimes make sense to do so, assuming paying ransom is legal?
But organizations need to know: In some cases, it is illegal to pay ransom, and doing so could get a cyber attack victim in trouble.
At ProWriters, we want you to understand when paying ransom isn’t a legal option and why, so you can help your business clients choose their level of Cyber Insurance accordingly.
Paying Ransom Demands May Threaten U.S. National Security
As of this writing, no absolute federal or state prohibition making it illegal to pay ransom is on the books in the United States. Some federal legislators have suggested such laws. Others argue a categorical prohibition would overstep government authority and hurt “victims who may not have any other way to regain access to their systems or … prevent sensitive data from being leaked,” according to law firm Faegre Drinker.
But in October 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory highlighting how companies helping cyber attack victims pay ransomware demands risk violating OFAC regulations.
The OFAC advisory stated:
- Ransomware payments may enable criminals and adversaries with a “sanctions nexus” (that is, some connection to individuals and entities upon whom the U.S. has imposed sanctions) “to profit and advance their illicit aims,” thus threatening U.S. national security and foreign policy.
- Ransomware payments may “embolden cyber actors to engage in future attacks.”
- Ransomware payments do not guarantee access to compromised data.
The advisory cautioned OFAC “may impose civil penalties for sanctions violations based on strict liability.”
In other words, if you’re subject to U.S. law and make a ransomware payment to an entity against whom the nation enforces sanctions—even if you don’t know it—you can be held civilly liable.
Mitigating Factors in OFAC Law Enforcement Responses to Paid Ransoms
Last month, the Treasury weighed in again on paying ransomware demands.
OFAC took its first actions against a virtual currency exchange, accusing SUEX of laundering ransomware payments. OFAC analysis shows “over 40% of SUEX’s known transaction history is associated with illicit actors.”
OFAC also issued an updated advisory about facilitating ransomware payments. “The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands,” the advisory states,”and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”
The advisory stresses cyber attack victims’ responsibility to report attacks to relevant law enforcement agencies as soon as possible, and cooperate with those agencies throughout the response process. Victims should report the attack to:
- The Cybersecurity and Infrastructure Security Agency (CISA)
- The FBI Internet Crime Complaint Center (IC3)
- Local FBI or U.S. Secret Service field office
In particular, targets of cyber ransom demands should report the incident to the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), as well as OFAC if the victim suspects a sanctions nexus.
Touching on when it is illegal to pay ransom, the advisory states OFAC “will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack … to be a significant mitigating factor” in any OFAC law enforcement action.
OFAC will also consider an organization’s updated and improved cybersecurity measures as further mitigating factors. Such measures include:
- Maintaining offline data backups of data.
- Developing incident response plans.
- Instituting cybersecurity training.
- Regularly updating antivirus and anti-malware software.
- Employing authentication protocols.
Don’t Leave Your Clients in the Dark About Ransomware Dangers
Whether it is illegal to pay ransom to cybercriminals in a given situation or not, consider this alarming fact: Eight out of 10 organizations who pay ransomware demands are hit by a second attack. For so many reasons, then, taking what appears to be the simplest action in response to a ransomware attack isn’t the smartest move.
Don’t let your business clients believe ransomware and other cyber attacks only happen to major multinational corporations or other high-profile companies. Small and medium-sized businesses suffer 50-70% of ransom attacks, and 60% of them fail within six months of the incident.
Your clients need robust Cyber Liability Insurance. It can help them manage the risks and cover the costs associated with the dangers of doing business in today’s digital marketplace. And a strong policy can also give them access to top law firms who deal with data breaches and their aftermath on a regular basis. These firms can advise clients on the legalities of a given ransomware situation, and work with regulators on your clients’ behalf.
Want to know more about ransomware attacks, and how your clients can protect themselves—and recover should they become a target? Download our free ebook, Ransomware: The Front Lines, today.