We all know it’s illegal to kidnap someone and ask for a ransom payment. But should it also be illegal for the victim to pay the ransom?
Earlier this month the U.S. Treasury Department did just that. It notified the world that certain ransom payments are illegal, specifically those to sanctioned ransomware operators. Should a victim pay a ransom to a sanctioned entity, that person may face a big fine.
J.P. Koning, a CoinDesk columnist, worked as an equity researcher at a Canadian brokerage firm and a financial writer at a large Canadian bank. He runs the popular Moneyness blog.
Punishing ransom victims seems heartless. But it may be one of the best ways to protect the public from extortionists. And if it wants to make a serious dent in the growing ransomware market, the Treasury Department will have to go much further than putting a few entities on its sanctions list.
On Oct. 1, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) published a notice reminding everyone that several ransomware operators have been put on OFAC’s list of sanctioned entities, otherwise known as its Specially Designated Nationals (SDN) List. The agency’s letter clarifies that should a victim make a ransom payment to an OFAC-sanctioned ransomware operator, that person could be breaking the law.
The ransomware wave
Ransomware is malicious software that blocks access to a computer system by encrypting data. Once the data is locked, the ransomware operator demands the victim pay a ransom in exchange for a decryption key.
Subscribe to Money Reimagined, our newsletter on financial disruption.
The emergence of bitcoin, a digital, uncensorable asset, has made it particularly easy for ransomware operators to profit from their attacks. The earliest bitcoin ransomware strains targeted regular consumers with $300 or $400 ransoms. In 2019, operators like Sodinokibi, Netwalker and REvil began to move on to attacking corporations, municipal governments, school boards and hospitals.
See also: JP Koning – Bitcoin’s Ransomware Problem Won’t Go Away
The ransoms have gotten much larger. This summer, the University of Utah paid $457,059 in bitcoin for a decryption key. CWT, a travel company, paid $4.5 million to Ragnar Locker ransomware operators in July. The list of victims grows longer by the hour.
The damage involves more than just the ransom fee. Many organizations bravely refuse to give in to the ransomware operator’s demands. Rebuilding their network often costs more than the actual ransom payment. The crippled system will likely remain down for days, even weeks. The Government of Nunavut, a Canadian territory, couldn’t serve citizens for almost a month after it refused to pay Dopplemayer ransomware operators.