As ransomware attacks surge, the FBI is doubling down on its guidance to affected businesses: Don’t pay the cybercriminals.
But the U.S. government also offers a little-noticed incentive for those who do pay: The ransoms may be tax deductible.
The IRS offers no formal guidance on ransomware payments, but multiple tax experts interviewed by The Associated Press said deductions are usually allowed under law and established guidance. It’s a “silver lining” to ransomware victims, as some tax lawyers and accountants put it.
But those looking to discourage payments are less sanguine. They fear the deduction is a potentially problematic incentive that could entice businesses to pay ransoms against the advice of law enforcement. At a minimum, they say, the deductibility sends a discordant message to businesses under duress.
“It seems a little incongruous to me,” said New York Rep. John Katko, the top Republican on the House Committee on Homeland Security.
Deductibility is a piece of a bigger quandary stemming from the rise in ransomware attacks, in which cybercriminals scramble computer data and demand payment for unlocking the files. The government doesn’t want payments that fund criminal gangs and could encourage more attacks. But failing to pay can have devastating consequences for businesses and potentially for the economy overall.
A ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the United States. The company, which transports about 45% of fuel consumed on the East Coast, paid a ransom of 75 bitcoin — then valued at roughly $4.4 million. An attack on JBS SA, the world’s largest meat processing company, threatened to disrupt food supplies. The company said it had paid the equivalent of $11 million to hackers who broke into its computer system.
Ransomware has become a multibillion-dollar business, and the average payment was more than $310,000 last year, up 171% from 2019, according to Palo Alto Networks.