As clients begin to recognize and prepare against the threat of ransomware attacks, one tricky question keeps coming up. Is paying a ransom “illegal yet?”. No company is champing at the bit to make unplanned payments, especially not to potential terrorists on the OFAC list, but the legality of the matter depends on a few factors. *Please note that ProCircular does not provide legal advice, rather, we disseminate guidance from the top legal authorities.
As a cybersecurity professional and business owner, I keep a close eye on the everchanging recommendations surrounding ransomware attacks and incident management. I found the following document to be one of the more up-to-date (at least by government standards) and straightforward pieces available on the topic. Here's the short version:
“In the context of hostage-taking, for example, DOJ clarified in 2015 that it “has never used the material support statute to prosecute a hostage’s family or friends for paying a ransom for the safe return of their loved one.”67
Basically, there is a low likelihood of prosecution for making ransom payments, even when it is paid to a known threat actor on the OFAC denied persons list. I would only expect to see legal action taken if a very large company went through with the payment while it was expressly illegal. Even then, the punishment would be intended to make an example rather than punish the victim.
The below is from: Ransomware and Federal Law: Cybercrime and Cybersecurity, Oct 5, 2021, by Peter G. Berris, Jonathan M. Gaffney - Legislative Attorneys, Congressional Research Service
Legality of Ransom Payments
While the illegality of ransomware attacks is relatively straightforward, ransomware victims face more nuanced legal issues when deciding whether to make ransomware payments. No federal statutes expressly criminalize making ransom or ransomware payments.60 However, federal laws heavily restrict transactions with certain parties and could implicitly make ransomware payments to such parties a crime.61 For example, one of the federal material support of terrorism statutes prohibits conduct such as knowingly providing currency or other property to entities designated by the Secretary of State as foreign terrorist organizations.62 At least theoretically, an individual might incur criminal penalties under the statute for making a ransomware payment to a recipient that he knows is a foreign terrorist organization.
As another example, in a September 2021 advisory, the Treasury Department explained that federal regulations prohibit ransomware payments to individuals or entities on the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List) or those “covered by comprehensive country or region embargoes.”63 The Treasury Department stated that such payments could be subject to civil enforcement;64 and, if an individual is aware that such a ransomware payment is unlawful—for example, if he knows that the recipient is on the SDN List or otherwise subject to embargo—then making that payment may incur criminal penalties.65
Nevertheless, policy considerations, mitigating factors, and prosecutorial discretion may weigh against criminal prosecution for ransomware payments even when they are knowingly made to sanctioned entities or foreign terrorist organizations.66 In the context of hostage-taking, for example, DOJ clarified in 2015 that it “has never used the material support statute to prosecute a hostage’s family or friends for paying a ransom for the safe return of their loved one.”67
To combat ransomware, some have argued that Congress should remove the profit motive for ransomware attacks by criminalizing or otherwise prohibiting ransomware payments.68 The issue has garnered media attention69 and sparked a policy debate.70 At a July 2021 Senate Judiciary Committee hearing, one FBI official stated that the Bureau does not support a ban on ransomware payments out of concern that it would make it possible for ransomware attackers to engage in a new form of extortion—specifically, the blackmailing of entities who make ransomware payments in violation of a ban.71 Legislatures in at least four states are considering bills that would prohibit state or local government from making ransomware payments or from using public money to do so.72 Further, a proposed bill in New York would authorize civil penalties of up to $10,000 for governmental, business, or health care entities that make a ransomware payment.73
Has your security team started discussing the potential for ransomware attacks and ransom payments? ProCircular’s IR Planning & Tabletop can help you create and socialize a reliable plan to respond to security incidents. Click here or call 844-957-3287 to learn more about our Governance, Risk, and Compliance (GRC) services!
58 See generally CRS Report 97-139, Crime and Forfeiture, by Charles Doyle.
59 See Press Release, U.S. Dep’t of Just., Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside (June 7, 2021), https://www.justice.gov/opa/pr/department-justice-seizes-23- million-cryptocurrency-paid-ransomware-extortionists-darkside (announcing recovery of cryptocurrency paid as ransom in Colonial Pipeline incident and attaching warrants and affidavits listing legal authority to seize that cryptocurrency).
60 For instance, 18 U.S.C. § 875 criminalizes certain ransom demands, but does not prohibit ransom or ransomware payments. 18 U.S.C. § 875.
61 See infra notes 62-65 and accompanying discussion.
62 18 U.S.C. § 2339B; CRS Report R46829, Domestic Terrorism: Overview of Federal Criminal Law and Constitutional Issues, by Peter G. Berris, Michael A. Foster, and Jonathan M. Gaffney, at 7-9.
63 U.S. DEP’T OF THE TREASURY, supra note 7, at 3.
64 Id. at 4.
65 For example, two different federal statutes impose criminal penalties for willful violations of various federal sanctions laws and regulations. 50 U.S.C. §§ 1705(c), 4315(a). Courts have generally interpreted “willfulness” under these statutes to require knowledge on the part of the defendant that his conduct was unlawful. E.g., United States v. Mousavi, 604 F.3d 1084, 1094 (9th Cir. 2010); United States v. Homa Int’l Trading Corp., 387 F.3d 144, 146 (2d Cir.
2004); United States v. Dien Duc Huynh, 246 F.3d 734, 741-42 (5th Cir. 2001).
66 For example, the Treasury Department has listed several mitigating factors that OFAC will consider in determining whether to enforce sanctions laws against an entity that makes an illegal ransomware payment, including the extent to which that entity disclosed the ransomware attack and payment, cooperated with law enforcement, and has employed cybersecurity measures to prevent ransomware attacks. U.S. DEP’T OF THE TREASURY, supra note 7, at 4-5.
67 Press Release, U.S. Dep’t of Just., Department of Justice Statement on U.S. Citizens Taken Hostage Abroad (June 24, 2015), https://www.justice.gov/opa/pr/department-justice-statement-us-citizens-taken-hostage-abroad.
68 Ben Kamisar, Energy Secretary Backs Ban on Ransomware Payments: “You Are Encouraging the Bad Actors,” NBC NEWS (June 6, 2021), https://www.nbcnews.com/politics/meet-the-press/sec-granholm-backs-ban-ransomware- payments-you-are-encouraging-bad-n1269776; Jason Breslow, How to Stop Ransomware Attacks? 1 Proposal Would Prohibit Victims from Paying Up, NPR (May 13, 2021), https://www.npr.org/2021/05/13/996299367/how-to-stop- ransomware-attacks-1-proposal-would-prohibit-victims-from-paying-up; Robert K. Knake, Paying Ransom on Ransomware Should Be Illegal, COUNCIL ON FOREIGN RELS. (Feb. 29, 2016), https://www.cfr.org/blog/paying-ransom- ransomware-should-be-illegal.
69 E.g., Joe Tidy, Ransomware: Should Paying Hacker Ransoms Be Illegal?, BBC NEWS (May 20, 2021), https://www.bbc.com/news/technology-57173096; Joel Cohen, Succumbing to Ransomware: There’s No Federal Law Against It, BLOOMBERG L. (June 14, 2021), https://news.bloomberglaw.com/us-law-week/succumbing-to-ransomware- theres-no-federal-law-against-it; Scott Tong, As Ransomware and Other Cyberattacks Grow, Cyber Insurance Struggles to Keep Up, MARKETPLACE (June 3, 2021), https://www.marketplace.org/2021/06/14/as-ransomware-and- other-cyberattacks-grow-cyber-insurance-struggles-to-keep-up/.
70 See, e.g., Alvaro Marañon & Benjamin Wittes, Ransomware Payments and the Law, LAWFARE (Aug. 11, 2021), https://www.lawfareblog.com/ransomware-payments-and-law (“At a minimum, Congress should consider banning ransomware payments made without notice both to authorities and to shareholders.”); INST. FOR SEC. & TECH. RANSOMWARE TASKFORCE, COMBATTING RANSOMWARE 49 (2021) (“[T]he Ransomware Task Force did not reach consensus on prohibiting ransom payments, though we do agree that payments should be discouraged as far as possible.”); Kyle Balluck, Warner: Debate on Making It Illegal to Pay Ransoms “Worth Having,” THE HILL (June 6, 2021), https://thehill.com/policy/cybersecurity/557040-warner-debate-on-making-it-illegal-to-pay-ransoms-worth- having (surveying debate over ransomware ban); Edward Segal, Banning Ransomware Payments Could Create New Crisis Situations, FORBES (June 8, 2021), https://www.forbes.com/sites/edwardsegal/2021/06/08/banning-ransomware- payments-could-create-new-crisis-situations/?sh=39580f502982 (examining possible business consequences of ransomware ban); Editorial Board, Opinion: Hackers Are Taking Cities Hostage. Here’s a Way Around It, WASH. POST (June 23, 2019), https://www.washingtonpost.com/opinions/hackers-are-taking-cities-hostage-heres-a-way-around- it/2019/06/23/f08b79ea-9459-11e9-aadb-74e6b2b46f6a_story.html (advocating for ransomware ban).
71 See America Under Cyber Siege: Preventing and Responding to Ransomware Attacks: Hearing Before the S. Comm. on the Judiciary, 117th Cong. (July 27, 2021) (testimony of Bryan Vorndran) (“It would be our opinion that if we banned ransom payments, now you’re putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with the authorities.”).
72 E.g., H.R. 813, Gen. Assemb., 2021 Sess. (N.C. 2021); S. 6154, 2021 State Assemb., Reg. Sess. (N.Y. 2021); S. 726,
Gen. Assemb., 2021 Sess. (Pa. 2021); H.R. 3892, Leg., 87(R) Sess. (Tex. 2021).
73 S. 6806, 2021 State Assemb., Reg. Sess. (N.Y. 2021).