The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced that it is now illegal for companies or IT firms to pay ransomware to hackers. The advisory provides reasoning for this decision, including that paying ransomware only funds the criminal enterprise of hackers, often including terrorism. In the past, many (perhaps most) victims of ransomware ended up paying the demand to hackers to get much needed information released or returned. According to the OFAC, this could now lead to significant penalties, though the amount of the penalty is unspecified. This certainly adds another layer of complexity to responding to a ransomware attack.
At this time, your incident response plan may need to be updated to comply with the OFAC announcement. Backup systems and other cyber security policies are more important than ever. If you have questions, or need assistance in this regard, please do not hesitate to contact us.