It is generally not illegal. I’ve been following this for a while and can not think of any place where it would be.
Why not? Legislators haven’t caught up yet, and banning ransom payments would likely cause some very uncomfortable situations.
This of course raises some pretty uncomfortable questions, should ransom payments in kidnapping cases be banned too? That would presumably cost actual human lives.
A more pressing issue is that banning ransom payments might dissuade ransomware, but wouldn’t affect the main problem of financially motivated hacking. The costs of these attacks are so low that a ransomware payments ban would probably not have stopped checkout.com from being hacked and having their customer data stolen, the criminals will still do crime even if they have to do slightly different crime that pays less.
The group responsible in this case was just selling data stolen from their victims for a long time before they pivoted to much more profitable ransom operations.
Typically, companies wouldn't really pay an actual ransom like unmarked bills stacked in a paper bag and thrown out from a bridge onto a passing barge.
Instead, you would pay (exhorbitant) consulting fees to a foreign-based "offensive security" entity, and most of the time get some sort of security report that says if you'd simply plug this and that holes, your systems would now be reasonably safe.
> Typically, companies wouldn't really pay an actual ransom like unmarked bills stacked in a paper bag and thrown out from a bridge onto a passing barge.
Yes, that's why cryptocurrencies are a gift from heaven for these hacker groups.
Therefore, even if paying ransom money (somehow) must be legal, maybe it should be illegal to use crypto for it. You don't want to make it too easy to run this type of criminal business.
Criminals are plenty capable of accepting bank transfers, many of the same people running ransomware now were operating banking bots for years and years and stealing hundreds of millions from US businesses with wire transfers before crypto even existed.
You go on some Russian crime forum and find a plenty of people offering to process bank transfers like these for some percentage of the money. As these particular payments would be somewhat consensual, you wouldn’t even have to worry about the funds getting frozen on the way.
(If not, why not?)
(Imho, it would make sense if only the state can pay ransoms)