When ransomware locks up critical systems, the instinct to simply pay and move on is understandable. But for general counsel, chief information security officers, and the incident-response teams reporting to them, a payment is never a purely commercial decision. It can carry sanctions exposure that survives long after data is restored. Understanding how the Office of Foreign Assets Control (OFAC) views ransomware payments — and building that understanding into your incident plan before an attack — is now an essential part of cyber risk management.
Why a Payment Can Trigger Sanctions Liability
OFAC, a part of the U.S. Department of the Treasury, administers and enforces economic sanctions against designated individuals, entities, and jurisdictions. It maintains lists of sanctioned parties, most notably the Specially Designated Nationals and Blocked Persons (SDN) List, and prohibits U.S. persons from engaging in transactions with them. A ransom payment is a transaction. If the threat actor — or a person facilitating the payment on the victim's behalf — is sanctioned, the payment may violate U.S. sanctions law.
Two features of this regime make it especially demanding. First, much of OFAC's enforcement authority operates on a strict-liability basis, meaning an organization can face civil penalties even if it did not know, and had no reason to know, that it was dealing with a sanctioned party. Second, OFAC has issued public advisories highlighting the sanctions risks associated with facilitating ransomware payments. Those advisories make clear that the agency expects victims, insurers, financial institutions, and incident-response firms alike to take sanctions risk seriously. The practical upshot: everyone in the payment chain shares exposure, not just the victim.
Due Diligence on the Threat Actor
Because liability can attach regardless of intent, the central question is whether the recipient of a payment is, or is connected to, a sanctioned party. Answering that question requires diligence that begins the moment an attack is identified, not after a payment decision has been made.
Effective diligence draws on several inputs. Forensic analysis of the malware, ransom note, and infrastructure can help attribute an attack to a known threat group, some of which have been publicly tied to sanctioned actors or jurisdictions. Screening any wallet addresses, intermediaries, and payment processors against current sanctions lists is essential, as is checking whether the strain or group has been the subject of government designations or alerts. No single check is conclusive — attribution in ransomware is inherently uncertain — so the goal is a reasonable, documented effort to identify and rule out sanctions nexus before money moves.
Plan Before the Incident
The worst time to learn your obligations is during an active extortion. Pre-incident planning lets an organization make sober, well-counseled decisions under pressure. A mature plan identifies, in advance, who must be consulted before any payment — typically inside and outside counsel, the board or a designated committee, and the insurer — and what diligence steps are mandatory. It confirms that vendors who might touch a payment, such as ransom-negotiation and incident-response firms, have their own sanctions-compliance programs. And it aligns the organization's broader OFAC compliance posture with Treasury's expectation that companies adopt risk-based sanctions controls.
Engaging law enforcement is a recurring theme in OFAC's public guidance. Reporting an attack promptly to the appropriate federal authorities, and cooperating fully, is both good practice and a factor the government may weigh favorably if an apparent violation later comes under review. Reporting also gives the organization access to information that can inform attribution and the payment decision itself.
Document Everything
If a payment is made and a sanctions question later arises, contemporaneous documentation is your best evidence of good faith. Maintain a clear record of the diligence performed, the law-enforcement contacts made, the legal advice obtained, the screening results, and the reasoning behind the final decision. A complete, timely record demonstrates that the organization treated sanctions risk as a genuine compliance obligation rather than an afterthought — precisely the kind of conduct regulators look for when exercising enforcement discretion.
How Law & Forensics Helps
Law & Forensics works alongside general counsel, CISOs, and incident-response teams before, during, and after ransomware events. Our team combines digital forensic attribution, threat-actor diligence, and sanctions-aware incident planning to help clients evaluate payment decisions, coordinate with law enforcement and insurers, and build the documentation that supports a defensible compliance position. The result is faster, better-informed decisions when minutes matter — and a far stronger footing if those decisions are ever questioned.