U.S. Government Issues Advisory on Ransom Payment Risks

Oct 07, 2020

U.S. Government Issues Advisory on Ransom Payment Risks

BY Courtney Heinbach


The United States Department of Treasury Office of Foreign Assets Control (OFAC) issued an advisory yesterday regarding the risks of paying ransom payments in the event of a cyberattack.

The advisory references the increase in demands for ransomware payments during the COVID-19 pandemic and states, “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Even the payment of a ransom demand by a cyber insurance firm comes with risk. “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.” Essentially, in making a ransom payment, you may be sending funds to an individual or organization associated with an embargoed country.

Also worth noting is the acknowledgment of the fact that facilitating a ransom payment doesn’t necessarily bring a business out of the woods during an attack. Recent attacks have shown us that simply paying the ransom doesn’t always give users access back to their data. Earlier this year, a cloud service provider was hit with ransomware and while they were able to stop the attacker from encrypting the files, they still weren’t in the clear. The victims still had to pay a ransom when the hackers stole data from their network and threatened to leak it.

Moral of the story: If your recovery strategy for a ransomware event is to call your cyber insurance company and pay the ransom, you are missing key controls to guarantee recovery. Ensure your business and your clients are aware of the risks and have a robust business continuity and disaster recovery (BCDR) tool in place to recover data and continue business operations in the event of an attack.

Subscribe to the Blog