Paying ransoms in the context of cyberattacks, particularly ransomware, is wrong, isn’t it?

Paying ransoms in the context of cyberattacks, particularly ransomware, is a complex issue with various considerations.

My view is:-

• Paying a ransom is a complex legal issue that varies depending on the jurisdiction and specific circumstances. While paying a ransom is not automatically illegal, it can have implications related to money laundering, anti-terrorism laws, and ethical considerations.
• By paying ransom demands creates an attitude that funding criminal activity is acceptable. It’s not.
• The right thing to do is to make funding cybercriminals illegal, and legislators should be stepping up to the plate and going to bat to stop the payments from being made.
• As a good start, we should follow the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC), which declared [Oct 2020] that paying a ransomware demand could be illegal in certain instances.

What is the status today?

Current Situation:

1. Ransomware attacks occur when cybercriminals encrypt a victim’s data or lock them out of their systems, demanding payment (usually in cryptocurrency) to restore access.
2. Victims face a dilemma: pay the ransom and regain access quickly or refuse to pay, potentially suffering significant financial losses and operational disruptions.
3. Law enforcement agencies around the world increasingly advise victims not to pay because paying ransoms:
• Encourages continued criminal activity by funding cybercriminals.
• Does not guarantee that the victim will receive a working decryption key.
4. However, despite these recommendations, paying ransoms is not illegal in many jurisdictions.

Arguments for Making Ransom Payments Illegal:

1. Disincentive for Cybercriminals: If paying ransoms were illegal, it might discourage cybercriminals from launching ransomware attacks.
2. Reduced Profit Motive: By removing the financial incentive, attackers might focus on other forms of cybercrime.
3. Protecting Victims: A legal ban could protect victims from making hasty decisions under pressure.
4. Challenges and Considerations:
5. Complexity: Determining the legality of ransom payments involves navigating international laws, jurisdictional differences, and varying circumstances.
6. Mitigating Risk: While paying ransoms is not illegal, companies need to consider risks related to sanctions and anti-money laundering laws1.
7. Human Cost: Some victims, especially smaller businesses, may face devastating consequences if they cannot recover their data promptly.

Recent Developments:

1. In October 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) declared that paying a ransomware demand could be illegal in certain instances.
2. However, this remains a complex area, and legal clarity still needs to be improved.

In summary,

While the practicality of making ransom payments illegal is debatable, it’s essential to consider the broader implications, including the impact on victims, the cybersecurity landscape, and the evolving legal framework. Engaging with experts, law enforcement, and regulatory bodies before negotiating with attackers is crucial3.

Source

https://corpgov.law.harvard.edu/2021/10/16/a-guide-for-boards-and-companies-facing-ransomware-demands/

https://www.welivesecurity.com/2021/07/08/ransomware-pay-not-pay-legal-illegal-these-are-questions/

https://www.gartner.com/en/articles/when-it-comes-to-ransomware-should-your-company-pay

https://www.bbc.co.uk/news/technology-57173096