Ransomware: ransom payment can be illegal
General advantages of a payment
Assuming the ransomware gang behaves as advertised after a payment, a company might consider the following benefits of a payment:
Payment may be the most economically favorable solution.
It may be the fastest solution.
The company's secret know-how remains secret (even if there is a threat of disclosure).
The process as a whole can perhaps be kept "secret".
There is no additional risk with regard to personal data (if there is a threat of publication in the event of non-payment).
Various reporting obligations may not have to be fulfilled or only to a lesser extent. For example, consideration may be given to whether data subjects must be informed under the GDPR if the data has not become known to third parties and the data was only unavailable for a relatively short period of time. This is independent of any obligation to report a data breach to the data protection supervisory authority. The same may apply with regard to the information obligations as an operator of a critical infrastructure (IT-KRITIS) and with regard to the general reporting obligation for service providers pursuant to Section 15a of the Telemedia Act and other special statutory reporting obligations.
If there is a threat of publication, contractual penalties from non-disclosure agreements (NDA) could be forfeited or contractual penalties already forfeited could be increased.
General disadvantages of payment
In addition to the disadvantages resulting from the mere negation of the advantages described above, the following disadvantages may also be considered:
There is no certainty that the ransomware gang will behave as announced and hand over the key to decrypt the data. It is also conceivable that subsequent demands will be made and that otherwise, for example, the data will be threatened with publication.
Payment would generally encourage the criminal behavior of the ransomware gang and make such attacks more likely for their own and other companies in the future. It is also conceivable that the same gang will try to find and exploit further security vulnerabilities in their own company in the future, as their own company will then be known as an "easy payer" in the event of payment.
A payment, if it becomes public knowledge, can have a negative impact on the company's image.
Payment in a cryptocurrency is often required, e.g. Bitcoins. Most companies will not have any funds in cryptocurrency and will have to acquire them first. This can give rise to specific risks.
Ransom payment may violate embargo
The US Treasury Department is currently pointing out that the payment of ransoms may be illegal and - depending on the legal system concerned - may also be punishable by law. This is because complying with the ransom demand can mean making a payment to persons who are included on a sanctions list. An embargo may therefore be violated. On the one hand, certain countries are listed on the sanctions list. On the other hand, certain persons behind ransomware attacks are also listed, e.g: WannaCry, Cryptolocker, BitPaymer, Dridex and SamSam.
Such sanctions cover not only the victims, but also all service providers involved in a payment.
The warning issued by the US Treasury Department relates directly to US law only. This can also have a direct impact on companies in Germany, e.g. if there is a subsidiary in the USA or assets in the USA. On the other hand, a violation can have an indirect effect if you are somehow involved in the US market, e.g. by using US suppliers or service providers or selling goods and services there.
As far as is known, the warning issued by the US Treasury Department is the clearest official warning specifically in relation to ransomware. However, there are also embargoes at the level of the Federal Republic of Germany, the EU and the UN that may need to be observed when making payments in connection with ransomware ransom demands. Here too, the embargoes can be country-related and person-related. For example, payments to the Democratic People's Republic of Korea (North Korea) may be problematic due to Art. 21 para. 1 EU Regulation 2017/1509. Of course, the fact that the identity or location of the persons behind the ransomware attack and the country to which a payment is made via cryptocurrency are generally not known does not simplify the assessment.
However, the legal risk of a breach of an embargo and the question of how likely this is, based on the information available, should always be included on the disadvantage list and carefully checked before making a payment.
It should also be noted that a payment may constitute a punishable violation of the prohibition on supporting criminal or terrorist organizations.
Breaches of contract for ransom payments
In addition to the violation of an embargo, further violations may be considered in the case of ransom payments. For example, it is necessary to check whether contractual regulations have been breached. This is because commitments to adhere to certain compliance measures are often made in connection with the conclusion of framework agreements with suppliers and customers, which regularly include certain payments or transactions in the area of money laundering.
Special police contact points and further information
In the event of a cyberattack, please refer to the following police agencies that specialize in the immediate handling of cyberattacks:
ZAC - Central Cybercrime Contact Point for companies and authorities and specifically the contact point at the Baden-Württemberg State Office of Criminal Investigation
Please also note our article on compensation for damages in the event of cryptotrojans / encryption trojans / ransomware.