In a recent Cafe Insider-Cyber Space podcast interview, “Why you should be paying attention to ransomware cyber attacks,” John Carlin, former U.S. Assistant Attorney General for the National Security Division, interviewed veteran New York Times cyber reporter David Sanger.

They discussed this specific issue and shed even more light on how dicey the problem is.
The payment of a ransom to OFAC listed cybercrime groups could subject the victim/paying company to be sanctioned by the U.S. government.
See the following October 1, 2020, U.S. Treasury advisory:
Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
In my last post, Cyber Attacks for Ransom: Exponentially Growing Problem (Post 3 of 3), I raised the potential complication of paying a ransom to an individual or entity that is on the U.S. Treasury Department’s – Office of Foreign Assets Control (OFAC) list of cybercrime individuals, groups, or nation-states.
A few of the intriguing points made in the interview is that a company who pays the ransom falls under strict-liability (meaning the victim need not know they are paying an individual or group on the OFAC list to be held civilly liable. It does not require intent.) Except, the victim/company may not have any way of determining if the hacker is on that criminal-groups list unless they notify law enforcement.
FINAL THOUGHTS
For several legitimate reasons, many companies do not want to notify law enforcement and make the payment privately.
On the other hand, government is forced to confront a problem that is getting exponentially worse and feel compelled to do what it can to change behavior.
The interview has a runtime of 1 hour, 4 minutes.
The ransomware segment begins at 29:45.
Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.
0 comments on “Ransomware Payments: Know Whom You’re Paying!”