Should companies pay ransomware, and is it illegal to?

For the moment, it’s legal to pay the ransom in the U.S., though cybersecurity experts recommend companies do not pay. Given the criticality of assets stolen, a company may decide that it has to pay the ransom and that it is legally allowed to do so.

The U.S. Department of the Treasury released an advisory in October 2020 that said companies could face future legal trouble. Being involved in ransomware payments — whether as the victim, a cyber insurance firm or financial institution — the advisory said, could potentially violate Office of Foreign Assets Control regulations.

“Formal recommendations from the FBI encourage companies not to pay the ransoms because it just escalates the problem,” said Dave Gruber, analyst at Enterprise Security Group, a division of TechTarget. “At some point, to stop ransomware, there has to be some formal legislation in place. How do you stop the current cycle? Either stop paying the ransom or make the penalties for doing so way, way bigger and enforce them.”

Even if a company decides it is in its best interest to make the ransom payment, experts recommend reporting it to the FBI or Cybersecurity and Infrastructure Security Agency. In his experience, Gartner analyst Paul Furtado said companies report incidents more now than previously, even as they pay the ransom. One of his sources is an organization that acts as an intermediary between bad actors and their targets. “Their business continues to increase quarter over quarter,” he said.