Ransomeware attacks have often forced companies to weigh the business value of locked-out data against the price a bad actor is demanding for access. However, U.S. Department of the Treasury sanctions may be adding a whole new dimension of risk to the equation that requires a more diverse legal team to safely navigate.

The Office of Foreign Assets Control, a financial intelligence and enforcement agency within the U.S. Treasury Department, maintains a Specially Designated Nationals and Blocked Persons List of groups or individuals that U.S. persons are “generally prohibited from dealing with,” which includes the payment of cryptocurrency ransoms. While OFAC has yet to levy penalties against businesses who pay ransom to an SDN list entity, companies in the midst of a cyber crisis may still have to proceed carefully.