US organizations that choose to pay a ransom to their online extorters may be eligible to claim the money back from the Internal Revenue Service (IRS), it has emerged.
A report from The Associated Press over the weekend cited tax lawyers and accountants who claimed the little-known clause could be a “silver lining” for ransomware victims.
However, the deduction could also be seen as a further corporate incentive to pay up, encouraging more affiliate groups to join the race to pilfer money from big-name multinationals.
It also flies in the face of official US government guidance, repeated many times by FBI boss Christopher Wray and others, that organizations should not pay any ransom.
Nikos Mantas, an incident response expert at Obrela Security Industries, argued that this tax oversight “will not last long.”
“Ransomware attacks are growing in severity and frequency today, so until now, it is unlikely the IRS had to specifically mention them in their guidance,” he told Infosecurity.
“However, as more and more companies fall victim, they will have to be taken into account. It seems unlikely the IRS will say payments will be tax-deductible as this could be seen as funding a criminal industry.”
IRS spokesperson Robyn Walker, told AP: “The IRS is aware of this and looking into it.”
However, aside from the creation of a DoJ Ransomware and Digital Extortion Task Force and a letter sent to corporate bosses from the National Security Council’s top cyber official, it’s unclear what this will entail.
Some criminal organizations like the infamous Evil Corp are on a US sanctions blacklist, which prevents victims from paying them. However, even here, there have been various attempts to skirt the laws.
Global organizations already have a major incentive to pay their ransomware extorters in the form of cyber-insurance policies that cover such losses or a large part of them. However, things may be changing here too: AXA recently declared it would no longer reimburse clients for these payments in France.