If You Pay Ransomware Will You Have to Pay the US Treasury as Well?

KrebsonSecurity has a post that mentions that the department of the Treasury has a Ransomware Advisory pdf.

The Treasury is advising you not to pay Ransomware if your device is ransomed (encrypted unless you pay for a decryption key):

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.

Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC

Regulations Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA),9 U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.


So not only does the victim lose their data, the ransomware dollars but now may be liable for  fines or other legal issues if all the stars align. I.e. if the ransomware actor is a sanctioned entity in the list of entities under the sanction nexus.

The document states this is not a legal document and we should not take this as “law”, but we should definitely be aware that there is a government agency looking at fining companies that are essentially paying criminal entities in Russia and other places.

Of course the problem is when you pay via Bitcoin there is no way for the layman to know where that currency is going. One has to be an expert in bitcoin to know who is picking up the bitcoin, and then only if some circumstances allow for that to occur. For the most part bitcoin does have a level of anonymity for the criminal hacker.

It is hard to tell where the criminal hacker is coming from, and who you are paying… BUT if for some reason some information comes to light and you are paying entities which are being sanctioned by the government now you are also liable for fines or more to the US government.

Contact us to shore up your cyberdefense!!  So you will not be in this position.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.