Ransom Demands: To Pay Or Not To Pay? – Technology – United States – Mondaq News Alerts

United States:

Ransom Demands: To Pay Or Not To Pay?

To print this article, all you need is to be registered or login on

As the threat of ransomware attacks against companies has
skyrocketed, so has the burden on companies forced to decide
whether to pay cybercriminals a ransom demand. Corporate management
increasingly is faced with balancing myriad legal and business
factors in making real-time, high-stakes “bet the
company” decisions with little or no precedent to follow. In a
recent advisory, the U.S. Department of the Treasury (Treasury) has
once again discouraged companies from making ransom payments or
risk potential sanctions.

OFAC Ransom Advisory

On September 21, 2021, the Treasury’s Office of
Foreign Assets Control (OFAC) issued an Advisory that updates and supersedes
OFAC’s Advisory on Potential Sanctions Risks for
Facilitating Ransomware Payments
, issued on October 1,
2020. This updated OFAC Advisory follows on the heels of the Biden
Administration’s heightened interest in combating the growing
risk and reality of cyber threats that may adversely impact
national security and the economy.

According to Federal Bureau of Investigation (FBI) statistics
from 2019 to 2020 on ransomware attacks, there was a 21 percent
increase in reported ransomware attacks and a 225 percent increase
in associated losses. All organizations across all industry sectors
in the private and public arenas are potential targets of such
attacks. As noted by OFAC, cybercriminals often target particularly
vulnerable entities, such as schools and hospitals, among

While some cybercriminals are linked to foreign state actors
primarily motivated by political interests, many threat actors are
simply in it “for the money.” Every day cybercriminals
launch ransomware attacks to wreak havoc on vulnerable
organizations, disrupting their business operations by encrypting
and potentially stealing their data. These cybercriminals often
demand ransom payments in the millions of dollars in exchange for a
“decryptor” key to unlock encrypted files and/or a
“promise” not to use or publish stolen data on the Dark

The recent OFAC Advisory states in no uncertain terms that the
“U.S. government strongly discourages all private companies
and citizens from paying ransom or extortion demands.” OFAC
notes that such ransomware payments could be “used to fund
activities adverse to the national security and foreign policy
objectives of the United States.” The Advisory further states
that ransom payments may perpetuate future cyber-attacks by
incentivizing cybercriminals. In addition, OFAC cautions that in
exchange for payments to cybercriminals “there is no guarantee
that companies will regain access to their data or be free from
further attacks.”

The OFAC Advisory also underscores the potential risk of
violating sanctions associated with ransom payments by
organizations. As a reminder, various U.S. federal laws, including
the International Emergency Economic Powers Act and the Trading
with the Enemy Act, prohibit U.S. persons or entities from engaging
in financial or other transactions with certain blacklisted
individuals, organizations or countries – including those listed on
OFAC’s Specially Designated Nationals and Blacked Persons List
or countries subject to embargoes (such as Cuba, the Crimea region
of the Ukraine, North Korea and Syria).

Penalties & Mitigating Factors

If a ransom payment is deemed to have been made to a
cybercriminal with a nexus to a blacklisted organization or
country, OFAC may impose civil monetary penalties for violations of
sanctions based on strict liability, even if a person or
organization did not know it was engaging in a prohibited

However, OFAC will consider various mitigating factors in
deciding whether to impose penalties against organizations for
sanctioned transactions, including if the organizations adopted
enhanced cybersecurity practices to reduce the risk of
cyber-attacks, or promptly reported ransomware attacks to law
enforcement and regulatory authorities (including the FBI, U.S.
Secret Service and/or Treasury’s Office of Cybersecurity and
Critical Infrastructure Protection).

“OFAC also will consider a company’s full and ongoing
cooperation with law enforcement both during and after a ransomware
attack” as a “significant” mitigating factor. In
encouraging organizations to self-report ransomware attacks to
federal authorities, OFAC notes that information shared with law
enforcement may aid in tracking cybercriminals and disrupting or
preventing future attacks.


In short, payment of a ransom is not illegal per
, so long as the transaction does not involve a sanctioned
party on OFAC’s blacklist. Moreover, the recent ransomware
Advisory “is explanatory only and does not have the force of
law.” Nonetheless, organizations should consider carefully
OFAC’s advice and guidance in deciding whether to pay a ransom

In addition to the OFAC Advisory, management should consider the

  • Ability to restore systems from viable (unencrypted)

  • Marginal time savings in restoring systems with a decryptor
    versus backups

  • Preservation of infected systems in order to conduct a
    forensics investigation

  • Ability to determine whether data was accessed or exfiltrated

  • Reputational harm if data is published by the threat actor

  • Likelihood that the organization will be legally required to
    notify individuals of the attack regardless of whether their data
    is published on the Dark Web.

Should an organization decide it has no choice other than to
make a ransom payment, it should facilitate the transaction through
a reputable company that first performs and documents an OFAC
sanctions check.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Updated 09.16.2021: Digital Asset SEC Timeline

Perkins Coie LLP

The Digital Asset SEC Timeline serves as an interactive compilation of select SEC guidance, enforcement actions, and speeches relating to the application of the federal securities laws to digital assets.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.