Is it against the law to pay ransom in a cyberattack?

Ransomware is malware that encrypts a victim's data and demands a ransom payment in exchange for the decryption key. When faced with a ransomware attack, organizations are often left with a difficult decision: should they pay the ransom or not? 

Understanding the dangers of ransomware

Before delving into the legality of ransom payments, it's important to understand the dangers associated with ransomware attacks. Ransomware is the biggest threat to email security in healthcare, with 88% of all ransomware attacks targeting providers, according to the Solutionary Security Engineering Research Team (SERT) Quarterly Threat Report. 

Ransomware can have severe consequences for organizations, including encryption and potential loss of critical data, business disruption, financial losses, and reputational damage. The threat actors behind these attacks often demand payment in cryptocurrencies, such as Bitcoin, to maintain their anonymity.

Read more: What is ransomware? 

Reasons companies choose to pay ransom

Despite law enforcement agencies advising against paying ransoms, many organizations still choose to do so. There are several reasons why companies opt to pay the ransom:

• Faster recovery time: In some cases, paying the ransom may be the quickest way to regain access to encrypted data and resume normal business operations. Organizations facing downtime and associated financial losses might see paying as a more expedient solution.
• Damage to business: Ransomware attacks can result in revenue loss and reputational harm. Some organizations may choose to pay the ransom to avoid negative publicity and regain customer trust.
• Excessive recovery costs: Depending on the extent of the attack and the organization's cybersecurity infrastructure, the cost of recovering from a ransomware incident might exceed the ransom payment. In such cases, paying the ransom could be seen as a cost-effective option.
• Protection of sensitive data: Threat actors often exfiltrate data before encrypting it, threatening to release it if the ransom is not paid. Organizations may decide to pay to prevent the exposure of sensitive customer or employee information.

Reasons companies should not pay ransom

While paying the ransom might offer a quick solution, there are compelling reasons why organizations should refrain from doing so:

• Encouraging future attacks: Paying the ransom provides financial support to cybercriminals, enabling them to continue their illegal activities. It creates a vicious cycle where attackers are incentivized to launch more ransomware attacks.
• Escalation of payments: Some ransomware groups engage in double-extortion tactics, demanding multiple payments to ensure both the decryption key and the non-disclosure of stolen data. Paying once might make an organization a target for future attacks and demands.
• No guarantee of data recovery: There is no guarantee that paying the ransom will result in the successful recovery of encrypted data. In fact, studies show that a significant percentage of organizations that paid the ransom did not recover all their data.
• Legal implications: Making a ransom payment can have legal repercussions. Depending on the jurisdiction and the nature of the attack, paying a ransom could be seen as funding criminal activities or even violating Office of Foreign Assets Control regulations.

The legality of paying ransom in a cyberattack

The legality of paying ransom in a cyberattack varies depending on the jurisdiction and the specific circumstances. In the United States, it is generally legal to make ransom payments. However, cybersecurity experts and law enforcement agencies strongly discourage organizations from doing so.

The U.S. Department of the Treasury has issued an advisory stating that companies involved in ransomware payments could face future legal trouble, as such payments may violate Office of Foreign Assets Control regulations. The FBI also advises against paying ransoms, as it only perpetuates the ransomware threat and encourages future attacks.

While it may be legally permissible to pay the ransom, organizations should carefully consider the potential consequences and seek legal advice before making any decisions. Reporting the incident to law enforcement agencies, such as the FBI or the Cybersecurity and Infrastructure Security Agency, is recommended even if the organization decides to pay the ransom.

Seeking alternatives to ransom payments

Given the risks and potential legal implications, organizations should explore alternatives to paying ransoms. These alternatives include:

• Implementing cybersecurity measures: Investing in cybersecurity measures can help prevent ransomware attacks in the first place. This includes regular software updates, employee training on phishing awareness, and the use of strong authentication protocols.
• Backing up data: Regularly backing up important data and storing it securely off-site or on a separate network can minimize the impact of a ransomware attack. Having backups enables organizations to restore their systems without paying the ransom.
• Engaging law enforcement agencies: Reporting ransomware incidents to law enforcement agencies is necessary for tracking and preventing future attacks. The FBI and CISA offer assistance to organizations dealing with ransomware and can provide valuable guidance throughout the incident response process.
• Obtaining cyber insurance: Cyber insurance can provide financial protection in the event of a ransomware attack. These policies often cover ransom payments, business interruption costs, and other expenses associated with recovering from an attack.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Are ransomware attacks illegal?

Yes, ransomware attacks are illegal under various computer crime laws. Perpetrators can face criminal charges and severe penalties if caught.

Can paying the ransom guarantee data recovery?

There is no guarantee that paying the ransom will result in the successful recovery of encrypted data. Organizations should consider alternative solutions and prioritize prevention and preparedness.

What should organizations do if they experience a ransomware attack?

Organizations should immediately isolate affected systems, report the incident to law enforcement agencies, such as the FBI or CISA, and engage with cybersecurity professionals to mitigate the attack and restore operations.

What role does public-private collaboration play in combating ransomware?

Public-private collaboration is necessary in addressing the ransomware threat. Governments, law enforcement agencies, and cybersecurity experts must work together to share threat intelligence, coordinate incident response, and raise awareness about the dangers of ransomware.