Ransomware attack payments might be tax deductible, says US government (opens in new tab)

I'm not sure funding criminal enterprise should be legal, let alone a permissable business expense.

Obviously we should make the cost of recovering from an attack deductible instead.

Taxpayers are "on the hook" for this in the same way that taxpayers are "on the hook" if I decide to take an early retirement and support myself by gardening rather than earning $300k a year in a Silicon Valley tech job, and paying income taxes on that, and the same way that society is on the hook because I have stopped producing any meaningful contributions to its well-being.

That is to say, it's a sliiiightly entitled way to look at the matter.

> And now taxpayers are on the hook for shitty security. Hell why not?

They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).

The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.

Brrrrrr goes the federal reserve printing press.

When you still have reserve currency status for the world you can do dumb things.

Unfortunately those dumb things are catching up to us…

Similar thing happened in Canada. A uranium miner set up a shell company in Switzerland and sold its future production to them at a market low. If the price went up, all of the profits shifted. If it went down, the subsidiary would go bankrupt and void the contract.

The shell can shift its profits tax-free back to the Canadian parent.

My friend asked for a complete list for an essay.

Is a ransomware payment a bribe? The linked page doesn't really say what constitutes a "bribe". The next paragraph says that it only covers illegal activities, which AFAIK isn't the case for ransomware groups unless they're a designated terrorist organization or something.

Do you have a police report to go with it? If yes, then sure.

Wow that was fast.

By default, all expenses reduce your profits. Unless there is a specific exception, ransom is just another expense and should therefore be deductible.

I guess the founder wasn't key to the organization and wouldn't pay.

thats what I said

Curious why you think the skill sets don’t overlap. I see them as perfectly compatible and no different then any other embezzlement that can happen.

If you're trying to illegal embezzle or evade taxes I think this is just one more thing to add to the list, wouldn't be a big problem.

> As much as fake donations I guess

So, a lot.

it happens, plenty reports out there, random kidnappings just don't make high-profile news as much.

You are thinking way too complicated.

Ok, let me just put the moral compass aside for a moment and put on my John Grisham fanfic hat so I can answer to this:

You simply buy $CRYPTO_CURRENCY, siphon the money off into a shell company in your favorite tax heaven, write it up as ransom payment, done. You might not even need the first step by having the shell company pretend to be a crypto currency exchange.

If you are a big enough company to bother with shell company tax evasion shenanigans, you probably have enough departments that some of them barely know each other or communicate. Spreading a rumor of a single department being hit by ransomware should be enough in case someone from the IRS actually bothers to come by and ask around.

If you really must, maybe pay someone in IT some hush money and ask them to turn a few servers off for a day or so to put up a convincing show. I'd advise against that though, since in my experience, technical people are notoriously bad at lying about technical things.

But actually phishing your own employees and staging a real ransomware attack is an unnecessary risk with too many variables where things might actually go wrong. Besides, the people pulling the strings here may have a law and/or accounting background, but probably not IT.

The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.

Paying a ransom by definition puts the whole sum in a black hole, tax-wise.

> Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).

Well, exactly this. Clarifying that ransom payments are tax-deductible creates a moral hazard whereby companies set up off-shore entities to conduct ransomware attacks. The parent company gets attacked, establishes a paper trail of "damages" (whether these damages are material is irrelevant, particularly as the stock market has shown that it won't punish companies for being the victim of cyberattacks), quickly pays the ransom, which moves the money off-shore into crypto accounts which can then be tumblered and funneled into shell companies. The off-shore cash can then be used off-the-books for a variety of purposes that indirectly benefit the parent company.

Good luck to the forensic auditors who try to follow the trail to show that the money never really left the parent company's control.

Yea, but 20 million?

I was thinking this plus the insurance will make it such that most companies will just pay the ransoms instead of working to secure their systems and train employees. No defense is perfect but also these criminals shouldn’t get paid.