Is it legal to pay ransomware ransoms?


Ransomware attacks have become more sophisticated and widespread, affecting almost everyone from large corporations, small and medium-sized businesses, government agencies, non-profit organizations, hospital systems to individual consumers. Once a computer network or system is infected by ransomware, cybercriminals encrypt the victim’s files and demand a ransom in exchange for a decryption key. Victims often have no choice but to pay ransomware ransoms to regain access to their files. Is it legal to pay ransomware ransoms to hackers?

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory regarding ransomware payments. There has been very little mention or analysis of the ‘Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” This is surprising since the document questions the legality of paying ransomware ransoms.

According to the advisory, there are “sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

Signup for the USA Herald exclusive Newsletter

This means that companies that help or facilitate ransomware ransoms to cybercriminals are at-risk of violating the OFAC regulations. This puts the victims of an attack, as well as, “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” in the crosshairs of possible US sanctions or at-risk of a “sanctions nexus.”

Background of Ransomware Attacks 

Ransomware is malicious software or malware which attacks a computer network to shut down access to the computer system and/or the data until a ransom is paid. Ransomware is usually spread through phishing emails or when a cybercriminal gets employee login information.

Cybercriminals target companies, institutions, and other online systems that people rely on to continue conducting business.

According to the Federal Bureau of Investigation’s (FBI) 2018 and 2019 Internet Crime Reports, ransomware cases increased by 37%  and there was a “147 percent annual increase in associated losses” during those years.  And in 2020, ransomware attacks have also dramatically increased during the COVID-19 pandemic. 

Wanted by the US for Cybercrimes

OFAC maintains a Specially Designated Nationals and Blocked Persons List (SDN List), which details blocked persons, country, and regional embargos. This includes numerous cybercrime groups and parts of the world including, “Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.” 

Since 2013, OFAC has designated many malicious cyber actors including those committing ransomware attacks, using its “cyber-related sanctions program and other sanctions programs.”

Examples include Russia-based and state-sponsored Evgeniy Mikhailovich Bogachev, who developed the Cryptolocker ransomware used to infect 117,000 computers in the United States between 2013 and 2016. Bogachev goes by the online monikers of “lucky12345” and “Slavik” and is wanted by the FBI. There is a $5 million reward for his capture.

The SamSam ransomware started being used in 2015 to 2018 to target many governmental institutions, large cities, like Atlanta, Georgia, and big companies.  OFAC sanctioned two Iranian nationals suspected of working on behalf of Iran for providing material support of ransomware attacks.

The North Korean Lazarus Group also known as the Hidden Cobra uses the WannaCry 2.0 ransomware. They may employ as many as 6,000 hackers and have been linked to 300,000 computer attacks in 150 countries. They are also suspected of the 2020 attacks targeting the cryptocurrency vertical. 

Russian state-sponsored Evil Corp is a “cybercriminal organization, which used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in thefts.”

The FBI is offering a $5 million reward for information to locate Evil Corp and their leader, Russian-based  Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo.”  OFAC has imposed sanctions on these actors and “will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”

Also on the SDN list are 5 China-based international hackers known as Apt41. This hacking group is allegedly responsible for computer crimes including intellectual property  (IP) theft, ransomware attacks, and crypto-jacking that impacted over 100 companies, organizations, and individuals in the United States and other countries.

Last month, the U.S. government filed charges against seven international hackers who are suspected to be members of Apt41. Two of the defendants are citizens of  Malaysia and five were citizens of the People’s Republic of China (PRC), where they currently reside. They are also suspected to be connected to the Chinese Ministry of State Security. 

Facilitating ransomware ransoms may violate OFAC regulations 

This advisory highlights OFAC’s designations of malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program.

Through the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. citizens are prohibited from engaging in transactions, with individuals or entities on OFAC’s SDN list.

Sanctions compliance programs of any company that is attacked by ransomware should consider the possibility that ransomware payments may involve a person on the SDN list or an embargoed jurisdiction.

The advisory strongly suggests any company paying ransomware demands or any entity facilitating a ransomware ransoms on their behalf should consider their obligations under the Financial Crimes Enforcement Network (FinCEN) regulations. 

“OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.” the advisory recommends. 


Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.

Want to contribute a story? We also accept article submissions – check out our writer’s guidelines here.