What Are the Legal Implications of Paying Ransomware Demands?

While organizations may think the best strategy during a ransomware attack is to meet the attacker’s demands, doing so could land them in legal hot water. Once the federal government gets involved, the financial repercussions will be more significant than the ransom itself. Here’s what companies should do and avoid in this situation to protect their assets.

Do Most Organizations Pay the Ransom?

Ransomware attacks heavily impact every industry. Unfortunately, they are getting more severe. The incidents’ costs exceeded $400 million in 2020, four times higher than the 2019 total. These attacks threaten people’s livelihoods, so many feel extreme pressure to pay the ransom.

In fact, roughly 50% of victims pay the ransom. However, even though most give in to attackers’ demands, only 4% get all their data back decrypted and intact. Although complying can seem like the best approach, it often doesn’t pay off.

Is It Illegal to Pay the Ransom?

It is technically illegal to pay a ransom during a ransomware attack. After all, it’s nearly impossible to trace where the attacker is or find out who they work for — and the government frowns on U.S. entities funding terror groups or countries under an embargo.

Why do organizations pay the ransom even though it’s illegal? While many may not know about its legality, some go through with it because they believe it’s the best choice. After a cost analysis, they realize paying the fines may be less expensive.

Containing a malware attack takes around 50 days on average — this extended downtime could tank a brand’s sales and reputation. Instead of permanently losing their data, facing government scrutiny, and getting public backlash, some quietly pay the attacker. It may seem like a calculated risk, but the potential repercussions aren’t usually worth it.

Legal Considerations for Ransomware Attacks

Many local and federal mandates surround cyberattacks and ransomware. People living in or doing business in the United States must comply with these legal requirements.

Here are the primary laws and considerations for organizations:

• Informing stakeholders: Organizations typically must inform their stakeholders of a ransomware attack. Depending on local laws, they may have to make public statements or notify all customers.
• Paying ransoms: The federal and local governments have strict rules against it because it is a matter of security — they view it as funding or support.
• Notifying law enforcement: The Cybersecurity and Infrastructure Security Agency (CISA) states timely reporting is mandatory for all ransomware incidents. Victims must inform relevant U.S. government agencies.
• Informing customers: Organizations must notify customers if a ransomware attack impacts data security. After all, their privacy is at risk if the attackers expose their personal or financial information.

While the exact reporting mandates vary by state and industry, they all require organizations to inform law enforcement agencies. Even if people have the situation under control, they still must disclose it to relevant authorities.

What Are the Federal Government’s Requirements?

While the federal government has no explicit, comprehensive laws regarding ransomware, it considers ransom payments a type of transaction. Because of this technicality, it is illegal to engage with the attacker — doing so could result in harsh penalties. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) oversees most of these incidents.

The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) have strict rules against foreign financial engagement. It is illegal to conduct a transaction with any person or entity on the OFAC’s Specially Designated Nationals and Blocked Persons list. Also, doing business with those under an embargo is a crime.

These acts and laws may not explicitly discuss ransom payments, but they cover ransomware. Sanctions violations typically result in civil penalties, meaning organizations must pay hefty fines or settlements. Some people may even face jail time if the government believes their actions are criminal or criminally negligent.

Crucially, the government notes even those unaware of the acts can face legal repercussions — it can hold people civilly liable even if they didn’t know their actions were illegal. If a company goes into a panic and pays the ransom as soon as an attack occurs, it will still have to answer to OFAC, CISA, and other agencies.

What Are Local Governments’ Requirements?

Organizations must remember their local government also has a stance on ransomware — most impose fines and legal repercussions. Every state and U.S. territory has its own data breach reporting mandates and penalties.

While every state’s specific laws differ, each one requires entities to notify stakeholders and law enforcement. Local facilities typically aren’t equipped to deal with ransomware, so the responsibility falls to federal agencies like the FBI, CISA or The Department of Homeland Security.

While many states discourage ransom payments — some have even banned communication with ransomware attackers — their fines usually relate to data privacy. Local law enforcement and public entities don’t have as much power as the federal government, so they typically don’t involve themselves in people’s private affairs.

They can still react swiftly to data breaches and will hand out fines if they feel the need to. Since almost 50% of attackers steal data before beginning the ransomware attack, organizations will likely have to answer to their state’s laws.

Why Should Organizations Not Pay the Ransom?

Organizations will have legal issues if they pay a ransomware demand. Since the federal government considers payments to be funding for criminal entities, they will react swiftly. Fines range from a few thousand dollars to millions — often more of a financial hit than the initial ransom.

In addition to fines, law enforcement agencies could hand a case over to the Department of Justice. They also can take the noncompliant organization to court, where financial and reputational penalties will be much more severe.

Further, if the government finds a business went out of its way to cover up a ransomware payment, it may find it criminally liable. Criminal penalties are much more severe and — depending on the specifics — could even result in jail time.

What Should Organizations Do Instead?

Instead of paying the ransom, organizations should contact the relevant authorities. The 2022 Strengthening American Cybersecurity Act (SAC) states all critical national infrastructure organizations must disclose ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) in less than 72 hours or face penalties. If the victim pays a ransom, the timeline shrinks to 24 hours.

However, CISA’s presence is only the first step. They should also contact The Department of Homeland Security, OFAC’s sanctions and compliance evaluation department, and the FBI’s cyber task force. These agencies deal with ransomware attacks all the time and know the best way to handle them.

Ignoring Ransomware Demands Is the Best Approach

Most companies panic when they realize an attacker has locked their data behind a malicious paywall. Still, meeting their demands is one of the worst approaches. While an organization may receive security and privacy fines once it goes to law enforcement, it avoids having to pay hundreds of thousands for violating IEEPA, TWEA, or the Strengthening American Cybersecurity Act.