Deciding whether to pay a ransom is an internal business decision. Conducting a cost-benefit analysis is important, and the following factors should be considered:

• Are backups available to assist with system restoration?
• Is a forensic team able to assist with retrieval of files and operational recovery?
• Is the encrypted data vital?
• Will additional downtime severely affect the business or clients?

Federal law does not prohibit the payment of ransom to unsanctioned cybercriminals, although it strongly discourages it. Two states—Florida and North Carolina—flat-out prohibit the payment of ransom for state and local government entities.

Feds frown on ransom payments

Even if making a ransomware payment is not illegal where you operate, doing so without complying with federal advisories and guidelines can lead to serious legal and financial consequences. The Office of Foreign Assets Control of the U.S. Department of the Treasury monitors and regulates ransomware payments to cybercriminal groups. The OFAC maintains a “Specially Designated Nationals and Blocked Persons” list (known as the “SDN List”), which lists persons and entities whose U.S. assets are blocked because they are deemed to threaten U.S. foreign policy or national security. Entities on the SDN List include cryptocurrency wallet addresses, and entities and individuals associated with ransomware variants. U.S. entities and individuals are prohibited from engaging in or facilitating financial transactions with SDN List members.  

In its September 2021 “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” the OFAC provided guidance for entities victimized by ransomware attacks. The advisory updates an advisory that was released in October 2020.

The Updated Advisory emphasizes the repercussions of making ransomware payments to sanctioned entities or individuals. Anyone who pays, assists with, or causes another to facilitate a ransom to an SDN List member is liable for civil monetary penalties in the amount of twice the value of the transaction that forms the basis of the violation, or $305,292 – whichever is greater – per violation. The OFAC has the authority to base the penalties on strict liability, meaning that it may not be a defense for a participant to claim that it did not know or have reason to know that the transaction was prohibited.

According to the Updated Advisory, the U.S. government opposes the payment of ransom to cybercriminals. The government contends that ransomware payments do not guarantee the safe return of stolen data, or restoration of the entity’s operations. On a broader scale, the government position is that paying ransom encourages further cyber attacks. Ransomware attacks have increased by 13 percent during the past five years. The amount of the average ransom payment has also increased: According to one report, the average ransom payment in 2024 is $2.73 million, an increase of nearly $1 million from 2023. According to another report, the largest known ransomware payment ever – $75 million – was paid in March 2024. The increase in the number of cyberattacks, coupled with the increase in ransom payment amounts, provides support for the federal government’s dim view of ransom.

The government’s opposition to paying ransom has only increased over time. In October 2019, the Federal Bureau of Investigation released guidance stating that although it opposed ransomware payments, it understood that businesses would evaluate all options to protect their shareholders, employees, and customers when attacked. The OFAC’s 2020 and 2021 advisories take a much more definitive tone, both strongly discouraging any payments and focusing primarily on the repercussions of doing so, rather than empathizing with an entity's desire to consider both sides.

The government also takes the position that ransomware payments pose a risk to national security.

The Updated Advisory provides an overview of mitigating factors that the OFAC will consider when investigating or determining an appropriate regulatory response to a ransomware payment that violates its sanctions prohibitions. Mitigating factors factors include the following:

• Maintaining offline backups of data
• Developing incident response plans
• Instituting cybersecurity training
• Regularly updating antivirus and anti-malware software
• Employing authentication protocols

Therefore, entities should have in place compliance and incident response programs to limit any exposure to possible sanctions violations. The OFAC refers entities to the Cybersecurity and Infrastructure Security Agency for its Ransomware Guide and various other resources that provide recommendations and best practices for strengthening cybersecurity measures and protocols.

Additionally, entities should be sure to report ransomware attacks to all appropriate U.S. government agencies. Timely self-disclosures to law enforcement, CISA, the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection, and other relevant agencies will be considered during any enforcement of penalties. Cooperation with law enforcement and any other agencies will also be analyzed and possibly used for mitigation purposes. The OFAC says that a self-initiated and complete report of a ransomware attack to relevant agencies, made as soon as possible after discovery of an attack, could be a significant mitigating factor.

If you still want to pay ransom...

If, after considering all of the above, you still think it is best to pay a ransom, be sure to take the following steps to ensure that payment is as secure and safe as possible:

• Check the SDN List to ensure that payment through or to a specific entity is not prohibited.
• Contact the OFAC if you need clarity the SDN List status of the person or entity you are paying.
• Consult with your cybersecurity and legal professionals to ensure that you are taking the best possible course under the circumstances.

The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at cyber@constangy.com.

Ansley Bryan of Constangy’s New York City Office graduated in May from the Boston College Law School and has passed the New York State Bar Exam. Her swearing-in, which is required for admission to the Bar, will take place in the spring of 2025.