An update to the October 2020 advisory, the U.S. Treasury warns companies to mitigate ransomware attacks rather than paying ransoms to threat actors that pose a threat to national security.
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has long maintained a Specially Designated Nationals and Blocked Persons List (SDN List) which I wrote about a few months back. The existence of this list automatically made it questionable as to whether organizations should be paying ransoms for foreign nationals. And according to the U.S. Treasury, doing so could put your company in a ton of trouble.
I'm not sure if you noticed, but cybersecurity security training was the number three recommendation on their recommended mitigation list (behind backups and incident response). Training is in front of AV and patching. That's noteworthy. The latest advisory from the U.S. Treasury makes it far more clear:
“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.”
They also make it very clear that there are consequences should you pay a ransom to someone on the SDN List:
“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.”
Mitigation is always a better choice, as there is no guarantee that you’ll get all of your data back anyway, and you’ll still need to recover affected systems, as you can’t be certain that there is no additional malware providing threat actors access on those same now-decrypted systems.