Cyber & Technology

Ransomware Payments and the Law

By Alvaro Marañon, Benjamin Wittes
Wednesday, August 11, 2021, 3:52 PM

Your taxes are going up. Not because of the bipartisan infrastructure bill. Not because Democrats are keen to hike taxes to pay for their spending in the coming reconciliation bill. 

We are all facing a tax increase at the hands of foreign criminals.

In early May, energy provider Colonial Pipeline paid a $4.4 million ransom after a ransomware attack forced Colonial to shut down its operations, leading to fuel shortages along the U.S. east coast. A few weeks later, in early June, meat provider JBS paid an $11 million ransom following an attack that led the company to suspend meat processing at its plants temporarily; the price of beef and pork soared across the country. And on July 2, information technology (IT) software provider Kaseya VSA was notified of a $70 million ransom demand to unlock “more than a million infected systems” after the organization suffered a massive ransomware attack

These ransomware attacks continue to illustrate the severity and scope of cyber criminal efforts, with victims in all sectors and industries suffering varying degrees of harm. Organizations can do their best to defend against anticipated threats, but supply chain attacks such as on Colonial Pipeline and Kaseya VSA result in indiscriminate harm against which it is difficult to mitigate. We are all paying the price.

It’s time for Congress to take this problem seriously and forbid—at least as a general matter—this ongoing tax on the American economy.

The disclosed attacks are also almost certainly the tip of a very large iceberg. Many companies resolve ransomware demands quietly, paying large sums of money to make problems go away—the adverse publicity associated with high-profile ransomware attacks being almost as harmful to a business as the attack itself. Nobody knows what percentage of the total ransomware bill plays out in public. But it’s almost certainly small. As Matt Tait put it recently on the Lawfare Podcast, undisclosed ransomware payments certainly exceed disclosed ones “by a huge margin.” Tait continued:

There’s a lot of companies and there’s a lot of folks in the non-company space—charities, hospitals, all sorts of places—where losing their data is catastrophic to their continuing operations. They make these payments because they need the problem to go away so they can get back to work. And a lot of those just never get reported—a very very large percentage of them.

These incidents have led to various proposals, including the regulation of cryptocurrencies, the means by which most ransoms get paid. But another approach has emerged as well: the banning of ransomware payments. It’s a divisive topic, with companies and experts divided over whether a ban on paying ransoms would actually disrupt the ransomware ecosystem and whether such efforts would do more harm than good. The Institute for Security and Technology’s Ransomware Task Force, composed of public- and private-sector representatives, recently published a report on combating ransomware. Yet while the authors were able to reach a consensus on nearly 50 comprehensive recommendations, they were unable to reach an agreement over a proposal that would prohibit victims from paying ransomware demands. 

Supporters of a ban, like Michael Daniel, president of Cyber Threat Alliance, argue that a ban is needed “to break this cycle and deprive the ransomware ecosystem of ‘fuel.’” Opponents, like Jen Ellis, Rapid7’s community and public affairs vice president, suggest it would have devastating consequences as criminal groups would shift their focus “towards organisations which are least likely to be able to deal with downtime—for example hospitals, water-treatment plants, energy providers, and schools.” These entities would face the most pressure to violate the ban and pay the ransom due to the likely severe amount of harm they would suffer due to downtime. As Ellis describes, “[the hackers] have very little to lose by doing this—and potentially a big payday to gain.”

Senior FBI officials pushed back further against the idea of such a ban during a July Senate Judiciary Committee hearing on how to prevent and respond to ransomware attacks. Bryan Vorndran, assistant director of the FBI’s Cyber Division, noted that the FBI currently estimates around “25 and 35 percent” of cyber incidents are not reported to law enforcement. According to Vorndran, banning ransom payments would increase this number and possibly lead to further extortion, with criminals blackmailing the victim for making the payment, thus causing victims not to disclose the attacks to the authorities. 

These ongoing discussions have inspired numerous policy suggestions at the federal level, but the first legislative move occurred when North Carolina’s House of Representatives passed a bill banning state and local agencies from making ransomware payments. 

The U.S. government’s official position already strongly discourages the payment of data ransoms. As Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger put it in a recent interview, “[T]he U.S. government’s policy has been very clear that we highly discourage the payment of ransom because it’s what is driving this ecosystem.” 

And numerous federal statutes already criminalize making a variety of payments that are similar to ransomware payments. The law, for example, already prohibits corrupt payments to overseas officials, as well as several other types of overseas transactions. Legally speaking, at least, banning ransomware payments would be a relatively simple matter; regulating them and forcing them out into the open would be an even simpler one. But it’s time to go a step further. As long as ransomware payments are generally permitted, the pressure in corporate boardrooms to pay the tax will be inexorable and companies will continue to feed the beast. Only by cutting off this option can Congress deprive this criminal ecosystem of the oxygen it needs to flourish. Yes, there will be exigent circumstances in which paying a demanded ransom is appropriate, but as we explain below, there are ways of handling those situations short of letting anyone pay off Russian criminal gangs.

What follows is an account of the legal landscape surrounding ransomware payments and what Congress would have to do if it wanted to restrict or ban them. We begin with an account of the current law of ransomware and the debate over whether a ban is appropriate. We then look at other laws that ban corrupt payments abroad and argue that a ransomware payment ban would be an incremental step given what is already illegal. We then examine the holes in existing law and why none of the current laws fully covers the general problem of ransomware. Finally, we argue that the right approach to ransomware is a general ban on payments with exceptions for exigent situations in which human life is at risk or some other compelling public policy reason justifies payment—and a flat ban on secret ransomware payments.

What Is Really at Issue

Let’s start with a look at the current landscape for companies and organizations facing a demand for ransomware payments—and the debate over whether the current rules are adequate.

Some ransomware payments are almost certainly already illegal. Two U.S. agency statements toward the end of 2020 make this point clear. 

In October 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to “highlight the sanctions risks associated with ransomware payments related to malicious cyber-enable activities.” The OFAC advisory warned that the facilitators of such payments on behalf of the victims—like financial institutions, cyber insurance firms and other companies involved in incident response and digital forensics—may be doing so in violation of OFAC regulations. Specifically, U.S. persons who “materially assist, sponsor, or provide financial, material, or technological support” to actors and persons on the Specially Designated Nationals and Blocked Persons (SDN) List can be held strictly liable for civil penalties and face criminal penalties for knowingly violating this prohibition. 

OFAC’s broad authority stems from the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). Past OFAC designations under this regime include high-profile cyber actors such as the Lazarus Group, for its devastating WannaCry 2.0 ransomware, and Evil Corp, for its costly Dridex malware. While OFAC affirmed that it considers mitigating factors such as whether the company’s disclosure to authorities was voluntary and timely when assessing an apparent violation, the advisory appears to serve as a warning to interested parties about the possibility of increased enforcement action for those considering making ransomware payments.

Similarly, the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory, also in October 2020, to financial institutions on the effects on existing regulations of handling, processing and facilitating ransomware payments. The FinCEN advisory cautioned that such activities, which typically require an institution to receive and transfer or convert funds, could constitute money transmission and impose additional obligations and mandates under the regulations.

These agency statements have shifted the policy and legal focus around the ransomware problem, targeting the heart of the ransomware business model: the ability of criminals to get paid. 

But that, in turn, only poses the larger question of why governments tolerate ransom payments at all. Energy Secretary Jennifer Granholm, in a discussion of recent ransomware incidents, spoke of a need for a law to ban such payments to “send [a] strong message that paying a ransomware only exacerbates and accelerates the problem. You are encouraging the bad actors.” 

The theory of a payment ban is that depriving companies of the ability to pay the criminals will dry up the market for ransomware attacks. What’s more, it will prevent shareholder pressure to buy a company’s way out of the problem and thus force companies either to invest seriously in prevention and remediation or to bear the full costs of the damage their negligence induces. In the short term, the likely impact would be to increase the cost of ransomware attacks to affected entities because, instead of paying the ransomware, they would have to rebuild their systems, which is much more expensive. In the longer term, however, making clear that targeted companies will not pay would presumably make them unattractive targets to mercenary organizations. And depriving U.S. entities of the option of paying off the attackers would also create a real incentive for them to take defense seriously before an attack happens.

Opponents of a ban argue that such a move will only create further unintended consequences. They suggest a prohibition could escalate the problem and force companies to pay the ransom in secret or even embolden the attackers to test the resolve of more victim organizations. A ban may even pressure vulnerable organizations to hack back—as seen in 2019 when a victim of the Muhstik ransomware successfully hacked the criminal’s command-and-control server to release thousands of decryption keys and a decryptor tool for other affected victims. While the U.S. government prohibits private entities from hacking back, a Senate bill introduced in June may reassess this position: It would direct the Department of Homeland Security to conduct a study on the benefits and risks of allowing private companies to hack back. 

Other commentators have pushed for more moderate approaches, including phasing in a ban over time or shifting existing efforts toward improving law enforcement’s ability to track payments by making it more difficult for criminals to receive them. Former Director of the Cybersecurity and Infrastructure Security Agency (CISA) Christopher Krebs, for example, described how this approach could be achieved through a licensing requirement: An organization would need to acquire a license and comply with various reporting requirements before being permitted to make a payment. Krebs also cautioned that such proposals could backfire by incentivizing criminal groups to seek out sensitive organizations like hospitals that are capable of paying, especially when lives are at stake. We shall return to this argument, which we embrace, below.

How Specific Payments Have Been Banned

The payment of ransomware demands is also surrounded in U.S. law by a series of other prohibitions that ban things very much like it. Prohibiting corrupt payments, particularly to overseas actors, for one thing, is nothing new to American law. 

U.S. law already prohibits demands for coercive payments such as extortion, ransom and bribery. The Computer Fraud and Abuse Act extends this general prohibition specifically to the digital space by criminalizing payments stemming from threats to damage a government or bank computer, or a computer used in, or affecting, interstate or foreign commerce. Bribery, however, differs from other coercive payments like extortion, by making the payment of the bribe itself illegal—attaching criminal liability to either the payer or the recipient of the corrupt payment. 

Congress has also criminalized other payments to overseas entities to combat various widespread threats, making it a crime for individuals to make certain types of payment even if they did not seek or receive any benefit. Consider, for example, Section 2339(B) of the material support statute, which makes it a crime for a person to provide material support or resources to a designated foreign terrorist organization. This provision of the material support statute extends beyond tangible property like monetary instruments and weapons to include intangible services like training and expert advice. But at its core, it’s a ban on the giving of something of value to a designated overseas group. There is no exception in the law for circumstances like ransoms, though nobody has ever been prosecuted for material support in a situation involving, say, a kidnapping or hostage taking. So if Hamas or Al-Qaeda got into the ransomware business, it would already be a crime to pay the ransom—though it’s not clear whether the government would ever use its enforcement discretion to bring such a case.

An individual can also be punished for providing general support or payment to parties located in certain countries. The Trading with the Enemy Act and the International Emergency Economic Powers Act are key pillars of the United States’ modern economic sanctions program. While the TWEA’s current use is tied to wartime, the IEEPA grants the president broad powers to address an extraordinary threat to U.S. national security, foreign policy or economy that originates, fully or in substantial part, from overseas. The president must first declare a national emergency relating to the threat, and these declarations can also be in response to what most people would regard as nonemergencies. Congress can authorize or direct presidents to use their IEEPA powers when passing legislative sanctions, as was the case with the Nicaragua Human Rights and Anticorruption Act of 2018. As of July 2020, U.S. presidents have made 59 emergency declarations in response to terrorism, malicious cyber-enabled activities and other threats. Presidents have sweeping powers to control economic sanctions that include investigating, regulating, or freezing a wide range of activities and assets tied to a sanctioned party. The targets of these restrictions extend beyond foreign states and their governments to encompass non-state individuals and groups. 

The applicable powers and punishments are outlined in the relevant executive order or regulation that designates the specific entity, government or country under the sanctions list. The Treasury Department is often delegated with enforcement powers and the ability to impose civil and criminal penalties on individuals or organizations found liable for engaging with entities or individuals on the SDN List. These sanctions can apply to any transaction with a group or person on the list, with any group acting from a listed country such as Iran and North Korea, with any group acting on behalf of a designated government or entity, or with any organization owned or controlled by anyone previously mentioned. As a result, an individual can violate a sanctions regime by making a general payment to, or conducting a transaction with, someone on the SDN List, either directly or indirectly through another party. 

These broad authorities already enable the executive branch to take action against ransomware payments—simply by imposing sanctions against individuals or groups responsible for ransomware activity to the extent it can identify them. 

But U.S. law also contains payment bans that are conceptually closer to prohibiting ransomware victims in general from paying off Russian cyber gangs in general. The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 to combat the widespread problem of U.S. companies making corrupt payments to foreign officials. 

The anti-bribery provision generally prohibits covered entities from making any corrupt payment, or giving anything of value, to a foreign official in exchange for obtaining or retaining business in that country. 

The payment prohibition applies to people and entities, including their employees, agents, stockholders or anyone acting on their behalf, under three categories: “issuers,” “domestic concerns” and “territorial concerns.” The FCPA defines corrupt payments as any offer, promise, authorization of payment, or payment made with an intent or desire to “induce the recipient to misuse his official position.” A thing of value broadly includes any improper or unfair benefit given to a foreign official. The payer’s wrongful influence can be evidenced by a foreign official violating a duty through an act or omission that secures an improper advantage or influences an official act or decision. The party does not need to be successful in its payment to an official—the recipient does not need to solicit, accept or receive the payment—for a violation to be found. Nor does the party need to know the identity of the recipient to violate the FCPA so long as the payment is made “corruptly”—giving anything of value with an intent to wrongfully influence the recipient.

The effect of the FCPA’s broad language is that conduct both in and outside the United States can be subject to enforcement, meaning that an individual can be found liable for making a specific payment to any general foreign party or official.

It’s fair to ask why a bribe paid to, and perhaps demanded by, a foreign official to facilitate business abroad should be any more illegal than a ransom paid to a foreign criminal gang abroad to keep business going. More generally, it’s fair to ask why the law should tolerate ransomware payments given that it already prohibits bribery of overseas officials, payments to terrorist organizations, and transactions with anyone overseas whom the president designates as subject to sanctions. Yes, the company making a ransomware payment is a victim, but that point only goes so far. Like the bribe to a foreign official, the ransomware payment is creating a market for corrupt conduct overseas that victimizes innocent companies. In both cases, the criminal ban serves to dry up that overseas market for crime and corruption.

The Gaps in Existing Laws

Each of the aforementioned authorities is a piece of a legal puzzle that allows the government to target individuals and organizations in certain contexts. But these authorities are generally not well suited to be effective against current ransomware payments in general.

Generally, most of these laws, like the FCPA, will not apply, because the offending party often has only a tenuous connection—or perhaps no connection at all—to a government official. Even if it does, a prosecutor would have to prove that the payer knew this, which seems improbable.

This inability to hold non-state actors accountable, in part, is also due to existing challenges unique to cybercrime (such as host countries’ unwillingness to cooperate with the U.S.) and a prior absence of long-term investigations into the “cybercrime-as-a-service organization (with a particular focus on those that support ransomware).” 

While the U.S. sanctions program is dynamic and can assess sanctions based on geography, subject matter or identity, the sanctions still need to be tied to a specific individual, entity or country to accomplish some larger goal. And while the TWEA and the material support statutes grant more powers to the generalized threats of foreign emergencies and terrorism, they are not suited for ransomware attacks—which take place in peacetime and are not generally the province of designated foreign terrorist organizations

Second, the defense of duress may be available under many of these authorities—at least some of the time. Economic duress, an involuntary payment due to some monetary-based threat, is not recognized explicitly under most of these authorities. And the IEEPA may have even expanded the scope of liability in response to malicious cyber-enabled activities to include those who materially assist the attackers or entities in the facilitation of ransomware payments. But the question of what constitutes physical duress is a bit less clear. 

In 2015, President Obama issued a policy directive that reiterated that “no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones.” Indeed, there have been no instances of prior convictions or civil penalty settlements for making ransom payments. So payments in response to imminent and physical threats are likely excusable, which raises a question about threats to data, information systems and consequent economic well-being.

FCPA case history may offer some guidance. The FCPA again requires a finding that the corrupt payment was made with the necessary intent to cause an official to take any action or decision that would benefit the payer’s business interests. But a violation does not occur if the payment was made involuntarily. In United States v. Kozeny, the U.S. District Court for the Southern District of New York ruled that to be liable under the FCPA, extortion or duress made under the threat of imminent physical harm would excuse the conduct as there was no “corrupt intent.” The court explained that the duress or extortion exception does not apply to situations where the payment was a necessary price for entering into a market or to obtain a contract. Rather, the situation must leave the victim without any alternatives, such as where payment to an official would prevent the blowing up of a victim’s oil rig. The court referred to this hypothetical situation as an example of “true extortion.” 

So a general duress and extortion defense needs to have a connection to an imminent and physical threat, and the claim of imminent but purely economic harm is insufficient. Yet while the courts have yet to confront the question of whether ransomware can rise to the level of “true extortion,” recent incidents and developments support the notion that ransomware can satisfy the imminent and physical harm requirements. 

Bill Siegel, the chief executive officer of the ransomware recovery firm Coveware, spoke in great detail about the ruthlessness he has encountered when dealing with various cyber gangs. Siegel described the encounter with the Ryuk gang as quite bleak: “They do not care. Patient care, people dying, whatever. It doesn’t matter .... Other groups you can at least have a conversation. You can tell them, ‘We’re a hospital, someone’s going to die.’ Ryuk won’t even reply to that email.” 

The Federal Bureau of Investigation, CISA and the Department of Homeland Security have already issued cautions over the increased and imminent cybercrime threat to hospitals and health care providers. So it’s conceivable that a duress defense may already apply to such situations. The uncertainty on this point makes matters worse for all parties involved. 

What Reforms Are Needed and Other Suggestions

Ultimately, ransomware has become a national security problem, and some form of ban on ransomware payments is sound policy. The victim company has an overpowering incentive to pay off the attackers, while broad national policy concerns highly disfavor payments. A world in which the individual actor always has an incentive to defect from the public good is an environment ripe for regulation. The individual victim can pay off the attackers at a relatively modest rate, thereby feeding the market for further attacks. This makes the entire ecosystem more vulnerable. A general ban on such payments would relieve victim companies of the ability to discount their own risk by sloughing it off onto the larger market. Further, companies have discovered that ransomware payments are tax deductible and have also successfully written off these payments as “ordinary, necessary, and reasonable” expenses, meaning that the U.S. Treasury is effectively subsidizing ransomware payments. Unlike human ransom demands, where an individual’s life is generally at risk and payments can save that life, in these cases, what’s generally at risk is data and computer equipment. And while the loss of a company’s data and IT systems may be catastrophic for the affected entity, it is generally not catastrophic for society at large. 

But any reasonable ban should not be total. There are circumstances in which the company’s interest in making the problem go away will dovetail with a larger public interest. Consider, for example, a hospital or some other setting in which human lives are at risk. Any reasonable reform, therefore, must account for the nuances of ransomware payments and the need to ensure that third-party victims of ransomware extortion are not further punished by the government through no fault of their own. 

One such reform that could generally thwart criminals’' abilities to receive ransoms but also give permission for victims to engage with the criminals under certain circumstances would be to ban ransomware payments in the absence of a license, which could be granted under specified statutory circumstances. Faced with a ransomware demand, an affected entity could apply for such a license on an emergency basis. The application itself would provide notification to the government of the incident, and the entity could seek permission to pay the ransom based on several possible criteria: for example, a threat to human life or public safety or some broader economic impact. Authorities might review such applications with an eye toward the question of whether the broader public interest, in addition to the interests of the affected entity, supports making the payment. The process would afford needed insight into the scope of the problem.

The logistics of such a proposal are complicated. The federal government’s equities here are diverse and not always congruent with one another. The speed necessary for such a system to be effective would require a well-designed system capable of snapping into action quickly. For present purposes, however, the point is that the decision of whether a ransom is in the public interest should not lie with the affected company. It should lie with the national government. And a company, having made inadequate cybersecurity choices in the past, should not be permitted to ignore the public interest in responding to a ransomware event by way of transferring the risk it assumed.

At a minimum, it seems crazy that the law tolerates companies making these payments in secret. 

So another immediate reform would be to mandate the reporting of cyber incidents to a federal agency, like CISA, within a reasonable time. A recent bipartisan Senate bill would require federal agencies, their contractors and organizations critical to national security to report cyber incidents to CISA within 24 hours. The Cyber Incident Notification Act would also properly incentivize proactive reporting by granting liability protections to organizations that report breaches, in addition to implementing privacy protection procedures to anonymize personally identifiable information about the self-reporting companies.

Ransomware amounts to an ongoing tax by foreign gangs on U.S. governments and industry. Right now, the U.S. is unable even to quantify the tax. At a minimum, Congress should consider banning ransomware payments made without notice both to authorities and to shareholders. If U.S. companies are going to pay extortionate taxes to foreign non-state entities, they should at least have to file a tax return.