Cybercriminals have found that extorting organizations through ransomware attacks is a lucrative business model. As malware used in cyberattacks becomes increasingly sophisticated, ransomware attacks are on the rise.

When an organization falls victim to a ransomware attack, it has to decide whether or not to pay the ransom. But is that legal?

In the U.S., the answer is not entirely clear-cut. In a 2020 ruling, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in many cases.

What is Ransomware?

Ransomware is a type of malware that infiltrates a network and devices to block access to your data and other personal information. This information is encrypted by the cybercriminals and held hostage until a ransom is paid.

Unfortunately, ransomware is often very difficult to remove, and paying the ransom does not guarantee that the criminals will restore access to your data.

How Illegal Is Paying the Ransom in the U.S.?

First, it’s important to understand what the OFAC deems illegal when it comes to ransom payments. OFAC explains that ransomware payments made to “sanctioned persons” or “comprehensively sanctioned jurisdictions” could be used to fund terrorist activities that could negatively impact U.S. national security and foreign policy. Additionally, paying up essentially enables future attacks.

OFAC’s ruling applies to individuals and managed service providers that facilitate ransomware attack payments – from cyber insurance companies to cyber forensic firms – stating that they may be prosecuted for arranging payment.

OFAC makes it clear that civil penalties may be imposed for those who violate such sanctions.

How Severe Is the Problem?

The rate of ransomware attacks increases every year. A widespread problem, two notable attacks that had far-reaching consequences were:

• May of 2021: Energy provider Colonial Pipeline paid a $4.4 million ransom after a ransomware attack forced them to cease operations, resulting in fuel shortages throughout the east coast.
• June of 2020: Meat supplier JBS paid $11 million following a ransomware attack that halted meat processing and temporarily shut down its plants. This caused the price of pork and beef products to skyrocket across the U.S.

What Should I do if I’ve Been a Victim of a Ransomware attack?

Should you realize that you have fallen victim to a ransomware attack, the first thing to do is contact your IT department or third-party company immediately. They can get a handle on your situation and make a plan for how to move forward. Unfortunately, the data needed to identify the breach source disappears quickly, so you must act fast.

If you have good backups of your data, you are in a much safer state. But if you don’t, you may need to work with the FBI and OFAC to get a proper handle on the matter.

If you have cyber insurance, learn what your options are. Ultimately, knowing how this happened will leave you better prepared for future cyber threats.