The US Treasury is issuing guidance that “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating [OFAC] regulations.”
You may be violating the law if you pay a ransomware payment.
Why do we care?
The FBI has been actively trying to discourage the payment of ransoms. With many finding it easier to pay, including insurance companies, if law enforcement wants to change the behavior, ratcheting up the risk is the way to do that.
Let’s observe this is not a NEW set of regulations. One researcher observes that this is a warning to ensure people work with law enforcement and/or third party security firms.
That guidance applies to technology services providers. Do not forget that a breach is also crime, and you need to be working with law enforcement. If you’re not qualified to handle the incident, find someone who is – and don’t just dive in to start trying things, as you may be destroying evidence.
If you need a little humor, I’ve included a link to a coffee maker that was hacked that demands ransom. Because, clearly anything can.
Source: US Treasury
Source: Krebs on Security