We all know it’s illegal to kidnap someone and ask for a ransom payment. But should it also be illegal for the victim to pay the ransom?
Earlier this month the U.S. Treasury Department did just that. It notified the world that certain ransom payments are illegal, specifically those to sanctioned ransomware operators. Should a victim pay a ransom to a sanctioned entity, that person may face a big fine.
Punishing ransom victims seems heartless. But it may be one of the best ways to protect the public from extortionists. And if it wants to make a serious dent in the growing ransomware market, the Treasury Department will have to go much further than putting a few entities on its sanctions list.
On Oct. 1, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) reminding everyone that several ransomware operators have been put on OFAC’s list of sanctioned entities, otherwise known as its . The agency’s letter clarifies that should a victim make a ransom payment to an OFAC-sanctioned ransomware operator, that person could be breaking the law.
Ransomware is malicious software that blocks access to a computer system by encrypting data. Once the data is locked, the ransomware operator demands the victim pay a ransom in exchange for a decryption key.
The emergence of , a digital, uncensorable asset, has made it particularly easy for ransomware operators to profit from their attacks. The earliest bitcoin ransomware strains with $300 or $400 ransoms. In 2019, operators like Sodinokibi, Netwalker and REvil began to move on to attacking corporations, municipal governments, school boards and hospitals.