Print Article

Paying ransoms in the context of cyberattacks, particularly ransomware, is wrong, isn’t it?


Paying ransoms in the context of cyberattacks, particularly ransomware, is a complex issue with various considerations.

My view is:-

  • Paying a ransom is a complex legal issue that varies depending on the jurisdiction and specific circumstances. While paying a ransom is not automatically illegal, it can have implications related to money laundering, anti-terrorism laws, and ethical considerations.
  • By paying ransom demands creates an attitude that funding criminal activity is acceptable. It’s not.
  • The right thing to do is to make funding cybercriminals illegal, and legislators should be stepping up to the plate and going to bat to stop the payments from being made.
  • As a good start, we should follow the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC), which declared [Oct 2020] that paying a ransomware demand could be illegal in certain instances.

What is the status today?

Current Situation:

  1. Ransomware attacks occur when cybercriminals encrypt a victim’s data or lock them out of their systems, demanding payment (usually in cryptocurrency) to restore access.
  2. Victims face a dilemma: pay the ransom and regain access quickly or refuse to pay, potentially suffering significant financial losses and operational disruptions.
  3. Law enforcement agencies around the world increasingly advise victims not to pay because paying ransoms:
    • Encourages continued criminal activity by funding cybercriminals.
    • Does not guarantee that the victim will receive a working decryption key.
  4. However, despite these recommendations, paying ransoms is not illegal in many jurisdictions.

Arguments for Making Ransom Payments Illegal:

  1. Disincentive for Cybercriminals: If paying ransoms were illegal, it might discourage cybercriminals from launching ransomware attacks.
  2. Reduced Profit Motive: By removing the financial incentive, attackers might focus on other forms of cybercrime.
  3. Protecting Victims: A legal ban could protect victims from making hasty decisions under pressure.
  4. Challenges and Considerations:
  5. Complexity: Determining the legality of ransom payments involves navigating international laws, jurisdictional differences, and varying circumstances.
  6. Mitigating Risk: While paying ransoms is not illegal, companies need to consider risks related to sanctions and anti-money laundering laws1.
  7. Human Cost: Some victims, especially smaller businesses, may face devastating consequences if they cannot recover their data promptly.

Recent Developments:

  1. In October 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) declared that paying a ransomware demand could be illegal in certain instances.
  2. However, this remains a complex area, and legal clarity still needs to be improved.
In summary,

While the practicality of making ransom payments illegal is debatable, it’s essential to consider the broader implications, including the impact on victims, the cybersecurity landscape, and the evolving legal framework. Engaging with experts, law enforcement, and regulatory bodies before negotiating with attackers is crucial3.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email