Ransomware sanctions could be the thing that turns your worst day into something even worse — a federal crime. Most people think about ransomware as a data problem or a business continuity problem. Very few think about it as a potential sanctions violation. But if the group that encrypted your data happens to be on a US government sanctions list, paying them might expose you to fines that dwarf the original ransom, and in some jurisdictions, could mean jail time.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/ransomware-sanctions-ofac-lazarus-group.
I recorded this episode with my co-host Prasanna Malaiyandi and Dr. Mike Saylor, my co-author on Learning Ransomware Response and Recovery. Mike brought a real case to the table — a construction company that got hit by the Lazarus Group, a North Korean state-sponsored threat actor. By the time Mike was done telling the story, it was clear that ransomware sanctions are not a theoretical problem. They are a very real trap that most organizations are completely unprepared for.
The Lazarus Group, a Construction Company, and Ransomware Sanctions
The construction company in Mike’s story was no small operation. They built hospitals and military bases. Hundreds of millions of dollars in active contracts. They had what they thought was a well-protected system — a proprietary, air-gapped core repository for their engineering CAD drawings. The bad guys got in anyway. The attack happened on a Thursday, and by Sunday night, Mike was negotiating directly with the Lazarus Group over the weekend.
Here is where ransomware sanctions entered the picture. When the company decided they wanted to pay, Mike raised a flag: these attackers were a sanctioned group. Paying them without going through the proper process — specifically, the OFAC process — could result in federal penalties far larger than the ransom itself. One example Mike cited: a company paid $3 million in ransom to a sanctioned organization and faced potential penalties of 30 to 300 million dollars. That is not a typo.
What Is OFAC and Why Does It Matter for Ransomware Sanctions?
OFAC stands for the Office of Foreign Asset Control. It is a division of the US Treasury Department, and its job is to track financial transactions — including ransomware payments — that might end up funding sanctioned governments or criminal organizations. The Lazarus Group is a known North Korean state-sponsored hacking group, and money paid to them does not just buy you a decryption key. It funds arms deals, human trafficking, and other operations that the US government has decided it does not want American money supporting.
OFAC maintains a sanctions list and a search tool at sanctions.ofac.treas.gov. Before you pay any ransom, someone needs to check whether the group demanding payment is on that list. And that check needs to happen through proper legal channels, not a Google search by your IT team at 2am on a Saturday.
The UK has a similar body — the Office of Financial Sanctions Implementation. Australia’s Minister for Foreign Affairs handles similar designations, and in Australia, making a payment to a sanctioned group can carry up to 10 years in prison. Ransomware sanctions are not a US-only concern.
Ransomware Sanctions Are Only One Reason Not to Pay
Even setting ransomware sanctions aside, paying a ransom is a bad idea. The data backs this up: roughly 70% of companies that pay a ransom get hit again within six months. Why? Because all paying does is confirm that you will pay. In the construction company case, the very next day after payment, the Lazarus Group came back and asked for another $800,000 to promise they would leave the company alone. They still had three dormant backdoors into the environment. Mike’s team found them and shut them down — but most companies do not have Mike’s team on speed dial.
There is also the concept of proof of life. Before you pay anyone anything, you need proof that they can actually decrypt your data. The construction company sent some files to be decrypted as a test — but avoided sending anything from the sensitive core CAD system, because those blueprints included military base designs. The bad guys proved they could decrypt ordinary files. The company paid the ransom. The decryption key did not work on the core system. And because the company never had a backup of that core system, those engineering drawings were gone forever.
The Real Answer to Ransomware Sanctions: Do Not Be in That Position
The only way to truly avoid the ransomware sanctions trap is to not need to pay the ransom in the first place. That means immutable backups — genuinely immutable, not marketing-department immutable. If someone with admin access can still delete your backups, they are not immutable. The test I use: if even you cannot delete the backup, then it is immutable. Anything less than that and I have questions.
It also means having your team in place before something bad happens. Call your legal counsel now. Many cybersecurity-focused law firms offer zero-dollar retainers — you do the paperwork upfront, and they answer the phone when something goes wrong. Sign up for FBI InfraGard at infragard.org. Call your local FBI field office. These relationships cost you nothing, and on a bad day, they could be the difference between a survivable incident and a company-ending one.
Ransomware sanctions are one more reason why paying the ransom is never the right answer. Get your backups right, get your team right, and you will not need to negotiate with the Lazarus Group on a Sunday night.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
