Request InfoApply Now
Academic Programs
Online Executive Juris Doctor Degree
Online Juris Doctor Degree
Non-Degree Seeking Single Courses
California Bar Exam
California Law Degree
Admissions
Admissions Requirements
Technical Requirements
Who Should Attend Law School?
B&P 6061.7 Disclosure
Tuition and Fees
EJD and JD Students
Non-Degree Seeking Students
About The Law School
Accreditation
Contact Us
Informational Webinars and Events
Faculty
How Online Law School Works
FAQs About the Law School
Our Law School History
News and Media
Student Life
Academic Support
Career Services
Graduation
Law Library
Tech Support
Student Community
Student Satisfaction
Alumni
Alumni Resources
Alumni Success Stories
Blog
Careers
Constitutional Law
Dean's Column
Law Student Life
News and Commentary
Contact US

877-757-8189

Student Login

Request InfoApply Now
HomeblognewsRansomware Victims Who Pay the Ransom Could Face Millions in Fines
Illustration depicting a key unlocking a numeric code or password with the word "Ransomware"
NEWS AND COMMENTARY

Ransomware Victims Who Pay the Ransom Could Face Millions in Fines

February 5, 2021 | Purdue Global Law School

Most organizations hit by a ransomware attack would consider themselves victims. However, those that pay the ransom to recover their data could be fined millions of dollars for violating federal regulations.

Ransomware is a form of malware that encrypts or otherwise blocks access to a victim’s data. The attacker then demands a ransom in exchange for the decryption key. Law enforcement agencies and cybersecurity experts have long advised victims not to pay the ransom. There’s no guarantee that they’ll get their data back, and the payment will likely embolden the criminals to launch future attacks.

Now the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has issued an advisory warning of potential penalties for making or facilitating ransomware payments. The October 1, 2020 advisory warns that OFAC has sanctioned numerous cybercriminals, including those who perpetrate ransomware attacks and those who sponsor, support, or assist in their activities.

Direct and indirect transactions with these sanctioned groups are prohibited by multiple laws and regulations, including the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701–1706, and the Trading with the Enemy Act (TWEA), 50 U.S.C. §§ 4301–4341. Any U.S. person or entity who runs afoul of these laws may be subject to significant civil fines or criminal penalties.

Scope of OFAC Sanctions

OFAC has been called “the most powerful yet unknown agency in the U.S. government,” with broad authority to block and seize assets, prohibit business activities, and implement trade restrictions. OFAC sanctions encompass a dozen countries and geographic areas, and target such national security threats as terrorism, narcotics trafficking, and transnational criminal organizations.

OFAC also maintains a list of more than 6,000 Specially Designated Nationals and Blocked Persons (SDNs) that U.S. persons and entities are prohibited from dealing with regardless of their location. Often, the connections between SDNs and sanctioned governments and groups can be difficult to trace, and OFAC is continually adding to the list. The slightest nexus to OFAC sanctions is sufficient to trigger an enforcement action.

That makes it easy to violate the law unwittingly. Offenses under the IEEPA, TWEA, and related laws are based upon a strict liability theory—a person or entity may be subject to penalties without knowing that the transaction is prohibited. Furthermore, the law applies to foreign nationals within the U.S., foreign branches and subsidiaries of U.S. companies, and U.S. citizens and permanent resident aliens employed by foreign companies.

OFAC has virtually unfettered authority to enforce sanctions. If OFAC has reason to believe that a U.S. person or entity has conducted a prohibited transaction, the agency will issue a notice of intent to impose a monetary penalty. The recipient must respond in writing within 30 days, then OFAC will decide whether sanctions have been violated. Courts almost always side with OFAC decisions.

Ransomware Payments: Doing Business With the Enemy

Ransomware payments are a logical extension of OFAC policy. Ransomware has become a significant source of revenue for criminal organizations, terrorist groups, and state actors that represent significant national security threats.

The OFAC advisory notes that ransomware attacks have been linked to the Lazarus Group, a cybercrime operation sponsored by North Korea. According to U.S. authorities, there is evidence that North Korea uses the profits from ransomware attacks to fund the production of weapons of mass destruction.

OFAC has also sanctioned Evil Corp., an international network of at least 17 elite cybercriminals that developed advanced malware called “Dridex.” Evil Corp. used the malware to access the login credentials of employees in financial institutions worldwide and steal $100 million from consumers and businesses. The group is also associated with the WastedLocker ransomware, which has been used to attack at least 31 U.S. organizations and demand ransoms of $500,000 to $1 million per attack.

Given the shadowy underworld of cybercrime, ransomware victims who opt to pay the ransom face significant risk of unknowingly dealing with sanctioned individuals or groups. The OFAC advisory also notes that any person or entity that facilitates a ransomware payment, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, may be subject to an enforcement action.

The Growing Ransomware Threat

The risk is exacerbated by the fact that ransomware attacks are skyrocketing. The FBI’s Internet Crime Complaint Center (IC3) has received 3,000 to 4,000 reports of cyberattacks daily since the beginning of the COVID-19 pandemic, four times pre-pandemic levels.

Cybersecurity firm Monstercloud has seen an 800% increase in ransomware attacks since the pandemic forced a rapid, wide-scale shift to remote work. Check Point Research reported a 50% increase in ransomware attacks in the third quarter of 2020 compared to the first half of the year, with six new victims every minute.

Many of these attacks—including Evil Corp.’s WastedLocker ransomware—have exploited security vulnerabilities created by work-from-home models. The malware is often spread via phishing emails that trick victims into clicking on malicious content that appears to provide information related to the pandemic or economic stimulus payments.

Ransomware was already on the rise before the pandemic, due in part to increases in the number of victims willing to pay the ransom. A study by CyberEdge Group found that 58% of victim organizations paid the ransom in 2020, up from just 39% in 2018.

Given OFAC’s sanctioning of cybercriminals who launch ransomware attacks, organizations have another reason to think twice before negotiating with extortionists. The OFAC advisory encourages ransomware victims to contact the agency before making a ransom payment that could result in significant financial penalties.

Learn More About Cybersecurity and the Law

Cybersecurity legal experts will be increasingly needed in both the public and private sector, especially as we navigate the pandemic and the rise of remote work. Purdue Global Law School offers an online Executive Juris Doctor program for those who have no intention of becoming a practicing attorney. The program includes a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.

Filed In:
Notes and Conditions - Please read

Rule 4.30: Except as provided in rule 4.30 of the Admissions Rules (Legal education in a foreign state or country), completion of a professional law degree program at this law school other than for the Juris Doctor degree does not qualify a student to take the California Bar Examination or satisfy the requirements for admission to practice law in California. It may not qualify a student to take the bar examination or to satisfy requirements for admission to the practice of law in any other jurisdiction. A student intending to seek admission to practice law should contact the admitting authority in the jurisdictions where the student intends to qualify to sit for the bar examination or to be admitted to practice for information regarding their legal education requirements.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© 2024, Purdue Global, a public, nonprofit institution.