Paying Ransomware may break the law

paying ransomware

Some businesses that are affected by a Ransomware incident, make a decision to pay the criminals in order to recover their data. This is usually because they believe it is more expensive to go through the recovery process. If they have poor or non-existent backups, then that may very well be the case, so they end up paying Ransomware.

My attitude has always been to never pay. This is because:

  1. You stand a very good chance of not being able to get your data back.
  2. You are giving good money to criminals. This will be used to fund criminal enterprises like human trafficking, drug smuggling, gunrunning, etc.
  3. With some simple preparation, it’s unnecessary.
  4. You might need the money to pay a GDPR related fine.

We’ll deal with those later, but first I want to address why …

Paying Ransomware may break the law.

If your business is in any way a part of a US corporation, then you are probably already screening all of your financial transactions against a list provided by the Office of Foreign Assets Control (OFAC). This is a part of the US Government’s Treasury Department. They produce a list of designated individuals, businesses and countries with which US corporations are prohibited from doing business with. It’s all about cutting off avenues to finance terrorism. If your business tries to transfer money to one of these designated individuals, screening that transaction against the OFAC list should flag it as being illegal. To date it’s all been about identifying bank accounts.

Last month OFAC included a couple of cryptocurrency addresses (a virtual wallet for a digital currency) in this list. They attributed them to a couple of Iranian criminals who are allegedly behind a particular type of Ransomware, called SamSam.

So this means that any US company that gets affected by SamSam, will break US Federal Law if they pay the ransom into those virtual wallets. The fines that can be imposed for such breaches would be a lot higher than the Ransom demand. As nearly all Ransomware is paid by some form of cryptocurrency, then this screening is likely to spread to other such virtual wallets.

“I’m not affiliated with a US corporation, so I can pay the ransom.” says you. Let’s go back to the 4 points I made earlier.

You might pay for nothing.

If you pay, you might not get your data back. Figures vary wildly from 50% to 100% failure to recover data. If you pay and don’t get your data back, you will then have to pay the full cost of recovery anyway.

You’re funding criminal activity.

When you pay, you are funding organised crime. You are paying criminals who not only do cyber crime, but human trafficking, drugs, weapons, etc. All the crime and terrorism news you see online, on TV or in the papers – That! That is what ransom payments are helping to fund.

People think I am being jokey or have my tongue in cheek when I refer to Evil Doers. I’m not. This is an accurate description of these people. They! Are! EVIL!

So no paying Ransomware. OK?

Be prepared.

It may be the Boy Scouts motto (full disclosure, I never was one ?) but it should be part of your business’ policies.

The first thing is to make sure you get your staff some security awareness training. This is something that I deliver. Details of the complete training is available here. We can do customised training to suit your organisation too. Call me on 087-436-2675 or e-mail on to discuss your requirements.

Then ensure that you have your systems updated/patched regularly, have security appliances like Firewalls in placeAnti-Virus is generally helpful against malicious software and also you shouldn’t insert strange USB devices into your computers.

Finally, you should have a good data backup system in place. This can be a very simple set-up or more complicated depending on your business needs. Again, I offer advice and support on backup strategies and business continuity planning. I also have a commandment about backups.

That’s it! With all of the above in place, in the very unlikely event that you do subsequently suffer a Ransomware incident, you will be able to recover from it.

There is also some help available from the good guys. It’s a not-for-profit, freely available service called No More Ransom ( This is run by various Law Enforcement and Cyber Security firms around the world. They are constantly working on cracking the codes for the different Ransomware variants and enabling people to recover their data for free.

The GDPR has something to say.

If your business processes personal data of individuals who are resident in the European Economic Area (EEA), then it is subject to the GDPR. If the files that are scrambled by the Ransomware contain personal data, then technically you have a data breach on your hands. I have a short video explaining this here:


Finally, if you do suffer a Ransomware incident, a crime has been committed, so please report it to local Law Enforcement. They may not be able to do much about it, but it needs to be reported for statistical purposes if nothing else. If it can be shown that Cyber crime is as big a problem, as I know it to be, then the more reports to Law Enforcement will mean they will get more resources to be able to tackle it’s root cause.

Lets be careful out there.

#SecuritySimplified #GDPR