Paying Ransoms to Hackers Could Incur Huge Fines for US Companies

• The U.S. Department of Treasury threatens those who pay ransomware actors with fines of up to $20 million.
• The OFAC (Office of Foreign Assets Control) suggests that victims contact the authorities instead, and submit for a special payment license.
• Some firms try to keep the infections secret and attempt to carry out the payment without the OFAC ever getting to know about it.

The U.S. Department of Treasury has released a new advisory for American companies, warning them that paying ransomware demands would constitute a violation of the OFAC regulations, and thus, would incur financial sanctions and fines. The Federal government in the United States knows that ransomware infections are rising, and one of the fueling factors for this is that victims are meeting the crooks’ demands. As long as ransomware groups are making money, they will continue to hit large firms and crucial organizations in the country.

Taking the ransom’s payment out of the equation would eliminate the motive of the hackers, but things aren’t as simple. Ransomware groups now steal files and leak them on online portals, applying huge pressure to their victims. In some cases, the leaks are so catastrophic that they could easily destroy reputations and derail the business of the victimized organizations, so paying the ransoms seems like a one-way road sometimes.

Related: ‘Swatch’ IT Systems Down Following a Ransomware Attack

However, paying the ransomware is generally considered a desperate move, as there’s never a guarantee that the actors would ever stop the extortion. Thus, the U.S. Department of Treasury is now simply adding one more reason to consider against deciding to pay the hackers, hoping to have the scale of economics lean towards the other way. The fines that may be imposed on those who ignore these warnings could reach up to $20 million, which is not a contemptible amount at all.

The OFAC (Office of Foreign Assets Control) has a special licensing procedure in place for firms that want to pay a ransom, but when the ransomware actors are from Russia, China, or North Korea, it is highly unlikely to get an approval from the agency. Thus, a ransomware infection has varying levels of legal complications, depending on who the attacker is.

And then there’s the case of doing business under the table. Details about the negotiations with ransomware actors aren’t ever seeing the light, but the actual security incidents usually do. No matter how hard a firm may try to keep a ransomware infection internally, there are multiple channels through which this can leak outside. The FBI is watching, white-hat researchers are monitoring, employees like to post on social media, etc.