What Happens if I Pay the Ransom?

By Randy V. Sabett

Randy V. Sabett, CISSP, is Special Counsel, Cyber/Data/Privacy practice at Cooley LLP, where he counsels clients on a wide range of cutting-edge cybersecurity, privacy, IoT, IT licensing and intellectual property issues.

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory, reminding businesses that if they pay ransom to cyber hackers, they could be violating OFAC regulations.  At first glance, it puts businesses that are already in an incredibly difficult situation, in an even harder one.

Since businesses often aren’t certain what entities may be behind ransomware attacks, the advisory is a potent reminder that the act of paying ransom – which many businesses are doing these days, even if they have back-up systems in place (due to the time it could take to restore their systems) – puts them at risk of paying sanctioned entities and exposing themselves to potential fines by the U.S. Government.

The Cipher Brief spoke with Randy Sabett, Special Counsel, Cyber/Data/Privacy Practice at Cooley LLP about the advisory and the position it puts businesses in that find themselves victims of ransomware attacks.

The Cipher Brief:  What is your biggest concern if the USG does decide to impose sanctions on companies that fall under this advisory?

Sabett: Coming up with a definitive position on whether a given threat actor is subject to the OFAC requirements is not an easy process.  These threat actors endeavor to maintain an untraceable/anonymous existence.  As a result, if the USG decides to impose sanctions, companies could face an even lengthier and difficult decision process on whether or how to engage with the threat actor (or an entity brought in to negotiate with the threat actor) in a given incident.

The Cipher Brief:  Does the threat of potential sanctions create an additional hardship for companies that find themselves victims of ransomware?

Sabett: The process could become longer when expediency is what the victim companies are in need of the most.  The hardship will be a longer process for getting back up and running (or a much longer process if they cannot comfortably determine the status of the threat actor and, therefore, decide not to pay to get decryption keys).  Working with third party negotiators could become more complex, including requests for certification that the threat actor is not on the OFAC list.

The Cipher Brief:  Will it force companies and boards to adjust their strategies for dealing with cyberattacks like these?

Sabett:  Many companies already have strategies in place for dealing with ransomware and similar attacks.  Those strategies likely already include coverage of negotiation with the threat actor but may need to be adjusted for making an OFAC determination.

The Cipher Brief:  Are there additional things the federal government could be doing to help support companies that are victims of ransomware?

Sabett:  To the extent the USG has information on specific bitcoin wallets or particular bad actors, sharing that information in a limited fashion would be helpful.

The Cipher Brief:  What is the most important question we didn’t ask?

Sabett:  I think the question of whether companies will continue to pay ransoms in spite of the guidance would be interesting to explore.  If a company is facing a significantly or completely encrypted network with sensitive information on it, they might be tempted to pay despite the advisory.

Read The Ransomware Conundrum, which includes a number of Cipher Brief Experts on what the OFAC advisory means for businesses

Read more expert-driven national security insight, perspective and analysis in The Cipher Brief