Unbelievable: Whoever pays ransom in the USA could end up in jail himself

in #cybersecurity4 years ago

Whoever pays ransom money after a ransomware attack could violate sanctions and thus become a criminal himself. The US Treasury Department warns against this, effectively putting victims in a double victim spot not being able to pay while having a government definitely not being able to help fast enough.

img_0.07849100821258795.jpg

Anyone who pays ransom money to criminals or makes it possible to pay ransom money to criminals can make themselves liable to prosecution. “Sarcasm on” Thank you US Treasury Department for nothing, cyber criminals are criminals “Sarcasm off”! The US Treasury Department reminds us that often the money goes to people or countries that are on sanctions lists, including a number of ransomware operators as well as states or territories such as Iran, the Russian-occupied Crimea, North Korea or Syria. Those affected by U.S. law to pay a ransom can apply for permission from the relevant authority OFAC (Office of Foreign Assets Control).

However, the application must be well justified. OFAC starts the procedure under the assumption that they will not allow the payment. The ban is not only aimed at paying victims, but also at paying insurance companies. In addition, there are financial service providers who facilitate such transactions and other third parties who are involved or contribute to them, such as IT security companies or IT forensic experts.

As a mitigating factor, OFAC explicitly emphasizes in the warning notices to the police if someone has been the victim of a ransomware attack. If a prompt and comprehensive report is filed, then ransom is paid without authorization, and it later turns out that the recipient of the payment or the target country is on the sanctions list, OFAC will consider the previous report as "significantly mitigating". On the other hand, those who do not report and pay illegally will face much harsher sanctions, however at least having the possibility of nobody ever finding if executed smartly as well as maybe getting your data back.

Once again legislative departments not helping anyone, but rather worsening the situation!