Last month, two agencies of the US Treasury department issued advisories warning against paying ransomware.
The Office of Foreign Assets Control said that by paying ransoms, companies are not only encouraging growth of the ransomware sector but also risk violating OFAC regulations. Violators can be held civilly liable even if they did not know that the groups they were sending money to were under sanctions.
This means that before they make a ransomware payment, companies need to conduct checks to make sure that the ransomware group is not on any prohibited list, said Greg Baker, senior associate at Booz Allen Hamilton. There are several such lists, he told DCK, all of which are related to terrorism or hostile-nation status.
In the case of ransomware payments, however, the attackers are generally not forthcoming with their identities. What happens if, later, it turns out that the hacker group was in fact associated with a prohibited entity?