Companies paying ransom when attacked by ransomware in an effort to retrieve their data has always been controversial because it encourages future attacks. Now, doing so may also be illegal.

The U.S. Department of Treasury today warned that paying ransomware demands may be illegal and that companies that do so could be prosecuted.

The warning came in advisories from the Treasury’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network. Both warned that any company that paid a ransomware payment, or a third party that facilitated a payment, could be prosecuted in the case that the hackers demanding the ransom were subject to U.S. sanctions.

There is an exception: Companies that are considering making a ransomware payment can do so but only with government approval.

Specific attention was given to third-party companies that facilitate ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” the Office of Foreign Asset Control said in its advisory.

Paying ransoms in ransomware attacks has always been controversial. That it may now be deemed illegal is a new consideration in the mix.

On one hand, a serious ransomware attack could and has seriously crippled companies and cost them, in some cases, hundreds of millions of dollars in lost business and costs. Sometimes paying the ransom to obtain access to core business files is arguably worth it.

The counter-argument is that every single time a company pays a ransomware demand, it encourages future ransomware attacks. Hacking groups know this, which is why they keep deploying attacks.

James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc. compares ransomware to the Italian Mafia.

“Many years ago, in Italy, there were many kidnappings by organized crime groups of the wealthy and affluent families,” McQuiggan told SiliconANGLE. “They would request large sums of money in exchange to return the victim’s loved ones. The kidnappings got so bad that the Italian government initiated a ban on paying any ransom to organized crime groups. The government would seize all financial assets to prevent the kidnapped families from getting the money to pay.”

He went on, “At first, the crime groups called the bluff of the families who couldn’t pay and killed the family member. However, after a short while, the organized crime groups realized they couldn’t pay, and quickly, the kidnapping and ransoms came to an end.”

Returning to today’s advisories, McQuiggan said that even if an organization wishes to pay the ransom, it would have to collaborate with the U.S. Treasury, FBI and other government agencies to send the funds. “The U.S. government’s recommendation of not paying comes with a similar notion of not negotiating with terrorists and never paying the ransom when involved with kidnappings and thus, the anticipated action of reducing ransomware attacks,” he said.

Image: Pixabay