As ransomware attacks have continued to rise in the U.S.,1 companies have increasingly looked to the U.S. government for a response. When organizations are put in the difficult position of deciding whether to pay a ransom to continue with their everyday business or face massive losses, many have chosen to pay the ransom quickly, hoping that the hackers will return their data. While many companies have regained access to their systems and data this way, just as many have not.
The primary question has become: Does paying ransoms to hackers further encourage ransomware attacks across the world?
And the jury is in. Experts both within the U.S. government2 and in the private sector3 now agree that paying ransoms often encourages more cybercrime.
Of course, it's easy to agree with this position theoretically, but judging by the number of ransoms paid by prominent companies in recent years, it's a much harder call when it's your own precious data and systems on the line. In situations like this, many people expect the government to step in and take the role of coercer, forcing the general public and corporations everywhere to make the hard decisions that most agree will result in a better outcome for the general public.
But even though multiple branches of the U.S. government have made their stance clear on their advice about whether or not to pay a ransom in the wake of an attack, strict enforcement has not come as quickly as you might expect.
Between midyear 2018 and 2019, ransomware attacks multiplied, growing 500%, which can lead organizations to pay the ransom. — Forrester's Guide to Paying Ransomware4
Ransomware Regulations Today
On October 1, 2020, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an advisory5 stating that groups that paid or helped to facilitate ransomware payments to parties on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List) could be liable for their actions. In broad strokes, this is the most restrictive guideline we've received regarding the legality of paying ransoms. In the advisory, OFAC made it clear that anyone who paid a ransom to any of the parties on the SDN List6 — mostly terrorist and narcotics groups known to be affiliated with or funded by foreign governments — could face consequences or worse, prosecution.
In practice, this turns out to be a relatively narrow restriction on paying ransoms.
The list itself doesn't come close to naming all of the groups around the world known to regularly use ransomware to demand money from organizations. Although there are some prominent Chinese and Russian hacking groups named that often claim responsibility for ransomware attacks, many more groups aren't listed. Additionally, groups regularly misidentify themselves, or skillfully hide their identities completely, making it extremely hard for even resourceful government agencies to track down the source of any given attack. If even OFAC can't track down the responsible parties for an attack, most corporations certainly are unable to.
What's more, ransomware attacks are increasingly coming from smaller or less well-known groups or individuals. With the rise of Ransomware-as-a-Service (RaaS),7 more and more unaffiliated groups can easily use ransomware software without much hassle. Without any explicit ties to foreign governments or other groups on the SDN List, it's often unclear whether the government has any grounds to come after your business for paying a ransom.
However, it's extremely important to remember that this is a quickly changing gray area. Only a qualified cybersecurity attorney can give you the best legal advice in a difficult situation like this. While this information may be accurate now, the rules of the game could change at any time, as the U.S. government evolves its approach to dealing with the ransomware epidemic.
Because of the potential impact of ransomware following the Colonial Pipeline attack in June 2021, the U.S. Department of Justice elevated ransomware investigations to the same priority level as terrorism.
Could Cyber Regulation Make Paying Ransoms Illegal?
It's absolutely possible for the U.S. government to make the paying of ransoms illegal. There are many ways that the government could do so, as different branches of government continue to take a closer look at the prevailing expert opinions.
OFAC's limited response is far from the most direct way that elements of the U.S. government could delegitimize the practice of paying ransoms. If the ransomware epidemic continues to get worse at its current pace, it's not unlikely that the issue could gain enough mainstream attention for the U.S. Congress to take matters into its own hands. A universal legislative ban on paying ransoms isn't impossible and would probably be the most direct way for the government to change the game.
Alternatively, smaller elements of the government could effectively ban ransoms by governing the way that most ransoms are paid. Most ransoms are paid in cryptocurrency, particularly Bitcoin, because of its trustless and untraceable nature. As the cryptocurrency sector gains more and more momentum around the world, we may see more general regulation surrounding legal use of cryptocurrency, possibly including the payment of ransoms with it.
It's also quite likely that other branches like OFAC may follow their precedent and apply incremental restrictions to the paying of ransoms. Without larger legislative restrictions, these small-scale regulations may focus on other aspects of the ransom paying process, or even just levy fines against companies who choose to pay ransoms anyway, despite government advice.
Regardless of how it happens, it's not only possible for the U.S. government to place stricter restrictions on paying ransoms, it's likely. The question to keep in mind is when and how further regulations will be applied, and how companies can continue to act in their best interests without rampantly increasing the incidence of ransomware attacks around the world.
Sources
1Taylor, Amiah. "There's a Huge Surge in Hackers Holding Data for Ransom, and Experts Want Everyone to Take These Steps," Forbes, 17 Feb 2022.
2"Ransomware," FBI, accessed 26 Aug 2022.
3Olenick, Doug. "Paying a Ransom: Does It Really Encourage More Attacks?," Bank Info Security, 14 May 2021.
4Zelonis, Josh and Trevor Lyness. "Forrester's Guide to Paying Ransomware," Forrester, 5 Jun 2020. Gated report for purchase.
5"Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments," Department of the Treasury, 1 Oct 2020. PDF file.
6"Specially Designated Nationals and Blocked Persons List (SDN) Human Readable Lists," Department of the Treasury, updated 18 Aug 2022.
7Baker, Kurt. "Ransomware as a Service (Raas) Explained," Crowdstrike, 7 Feb 2022.
