View All R&D Articles

Paying a Ransomware Ransom Is (Usually) Illegal

April 13, 2023

If you’re hit with a ransomware attack, you’re facing an unpleasant choice: Pay the ransom to restore your files, contact a professional ransomware recovery company, or lose important data forever.

However, in the United States, paying the ransom may be illegal according to the U.S. Office of Foreign Assets Control (OFAC). 

On Sept. 21, 2021, OFAC issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In the document, OFAC strongly recommends against paying ransoms. 

Here’s the relevant text:

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The document also notes that ransomware payments may run afoul of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). 

When Ransomware Payments Are Illegal

Ransomware payments are illegal when the attacker is a malicious foreign actor on the OFAC Specially Designated Nationals and Blocked Persons List (SDN List) or other relevant lists of blocked persons. That may include lists held by the Department of Justice (DOJ), as well as individuals or entities living in sanctioned countries such as Russia, Cuba, Iran, North Korea, and Syria. 

If you pay a ransomware payment to someone who does not fall under one of those classifications, you’re not breaking the law — but for obvious reasons, most bad actors don’t announce their identities during an attack. 

Many cybercriminal groups come from cybercriminals based in sanctioned countries, particularly Russia and North Korea.

The bottom line: If you decide to pay a ransom, you have no idea who you’re paying. It’s highly likely that the attacker is sanctioned.

Additionally, you have no guarantee that paying the ransom will restore your data. The payment also provides an incentive for future incidents — as long as victims keep paying the ransoms, malicious actors will continue using ransomware for attacks.

Related: Russian Hackers Weaponize Ransomware in War with Ukraine

I paid a ransomware ransom. Will I face a fine?

Paying a ransom is technically a transaction, and OFAC may impose civil penalties for sanctions violations.

That’s true regardless of your intent or your knowledge of the attackers. As OFAC notes:

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.”

With that said, OFAC has broad authority to determine whether civil penalties are warranted. The office may consider factors such as the size of the payment, the identity of the attacker/group, and the victim’s industry. 

But OFAC civil penalties can be significant, and in some cases, the office may publicize details of the extortion. For private businesses and public organizations, that’s certainly not good news.

OFAC recommends “risk-based compliance program[s]” to limit the risk of data loss due to ransomware. Of course, the best risk-management process in the world won’t help you if you’ve already suffered data loss — but fortunately, businesses still have options.

Related: Ransomware Attack Data Recovery: 4 Factors to Consider

Ransomware Recovery: Restoring Data Without Paying Ransoms

Ransomware recovery services can assist organizations with data recovery by using one of several methods:

  1. Disaster Recovery – Restoring from backups/archives and limiting data loss by rebuilding the affected systems.
  2. Ransomware Remediation – Cracking the cryptographic algorithms used by the attackers, restoring as much data as possible. Success depends on the ransomware’s encryption algorithms, the extent of infection, and other factors.
  3. Ransomware Risk Mitigation – Analyzing the affected systems for vulnerabilities and preparing a cybersecurity strategy that mitigates those vulnerabilities.

Typically, data recovery firms will use a combination of these methods. 

Some ransomware variants may have exceptionally sophisticated designs, and ransomware remediation is not always possible. However, attacks tend to be targeted, and by analyzing the attack vector, technicians can often find a solution. For example, some ransomware variants only encrypt a small portion of data, rendering the files unreadable; restoring the encrypted segment will typically result in a full or near-full recovery. 

At, we’ve developed methods for addressing many ransomware infections remotely or onsite. If you’ve encountered data loss due to malware, we recommend disconnecting the infected system and contacting a professional ransomware recovery provider as soon as possible. 

Call 1-800-237-4200 or submit a case online to get started.