top of page

Untangling the Sanctions Spiderweb: Navigating the Complex Legal Landscape of Ransomware Payments

In a shocking revelation, Caesars Entertainment recently made headlines by paying a staggering $15 million to cybercriminals following a devastating ransomware attack.

This substantial sum flowing into the coffers of criminal organizations raises a critical question: Can such payments truly be legal?

The landscape surrounding the legality of ransomware payments is anything but straightforward. On the surface, paying a ransom to a cybercriminal group is not explicitly prohibited by law. There are currently no existing regulations that outright ban such payments, although Australia has been considering legislation to address this issue.

However, beneath this seemingly simple answer lies a complex web of international sanctions.

OFAC Takes the Lead

The United States has assumed a robust stance against ransomware payments by implementing sanctions against individuals and organizations involved in cybercrimes. The Department of the Treasury's Office of Foreign Assets Control (OFAC) has been at the forefront of these efforts.

OFAC wields the authority to impose sanctions not only on the hackers themselves but also on those who materially support or financially benefit from malicious cyber activities.

At present, the OFAC sanctions list is predominantly populated by individuals and groups linked to countries such as Russia, North Korea, and Iran, recognized hubs for cybercriminal operations.

What makes these sanctions particularly impactful is their extraterritorial reach. This means that companies situated in various jurisdictions can find themselves subject to OFAC's jurisdiction should they run afoul of these sanctions.

For those who dare to violate these sanctions, the consequences can be dire. In extreme cases, foreign parties may be designated as "Specially Designated Nationals and Blocked Persons" (SDN). This designation entails the freezing of all property and property interests in the custody or control of a U.S. person. Denial of entry to the United States and other punitive measures may also be imposed. Furthermore, willful violations can result in criminal penalties, including fines of up to $1 million per violation and the possibility of incarceration.

The UK's Approach to Sanctions

The United Kingdom, in harmony with its international counterparts, adopts a resolute stance against cybercriminals and those involved in ransomware attacks. The UK government asserts that ransomware payments can potentially violate international sanctions and indirectly contribute to criminal activities.

Since May 2019, the UK has enforced financial sanctions through the Cyber sanctions regime. This regime, introduced initially during the UK's EU membership, continued post-Brexit with the enactment of the Cyber (Sanctions) (EU Exit) Regulations 2020, under the Sanctions and Anti-Money Laundering Act 2018.

These regulations aim to address cyber activities that jeopardize the integrity, prosperity, or security of any country, including the UK. Such activities encompass those causing economic harm, impacting commercial interests, or undermining international organizations related to the governance of international sports or the internet.

Under these regulations, individuals involved in such cyber activities can face sanctions, including asset freezes and travel bans. Asset freezes prevent individuals from making funds or economic resources, including cryptoassets, available directly or indirectly to designated persons (DPs). Any activities that circumvent or assist in violating these financial sanctions are prohibited and subject to legal consequences.

Is an Outright Ban the Answer?

The debate rages on regarding whether an outright ban on ransomware payments is the solution. Advocates of such a ban argue that it would deter victims from paying ransoms, potentially diminishing the profitability of cybercrime. However, critics contend that banning payments could leave organizations with no recourse in the event of an attack, potentially leading to the permanent loss of critical data.


The legality of ransomware payments represents a complex issue necessitating careful consideration of both legal and ethical factors. While no comprehensive international legal framework currently exists to regulate these payments, the web of sanctions imposed by various countries underscores the risks involved.

Before any ransom is paid, organizations must exercise caution and conduct due diligence to determine whether the threat actor is on a sanctions list. Seeking legal advice is paramount in such scenarios.

Moving forward, international cooperation and the development of clear guidelines are essential in addressing the ransomware conundrum. Striking the right balance between deterring cybercrime and providing organizations with options to recover their data is a challenge that policymakers and legal experts must continue to confront.

Ultimately, the path forward will require a nuanced approach that considers both the legal and ethical dimensions of ransomware payments in the ever-evolving landscape of cybersecurity.


bottom of page