Ransomware is a prime cybersecurity threat at the moment. In this paper we analyze financial implications of ransomware attacks, motivation of the ransomware victim to pay ransom, and legal, accounting and tax implications of such payment. The methodological approach used in the study is a combination of formal-dogmatic method and argumentative literature review. First, we provide an overview of all potential losses which could be incurred by the ransomware attack. Further, we analyze under which conditions is legal to pay any kind of ransom, including cyber ransom, as an organization as well as which other considerations victims should consider when deciding to pay ransom. In that respect we analyze accounting and tax implications of losses inflicted by the ransomware attack, putting special attention to the ransom payments.

LITERATURE

Broder J.F., Tucker E., Risk Analysis and the Security Survey, Oxford 2012.

Chałubińska-Jentkiewicz K., Karpiuk M., Kostrubiec J., Introduction, [in:] K. Chałubińska-Jentkiewicz, M. Karpiuk, J. Kostrubiec, The Legal Status of Public Entities in the Field of Cybersecurity in Poland, Maribor 2021, DOI: https://doi.org/10.4335/2021.5.

Custers B., Oerlemans J.-J., Pool R., Laundering the Profits of Ransomware, “European Journal of Crime, Criminal Law and Criminal Justice” 2020, vol. 28(2), DOI: https://doi.org/10.1163/15718174-02802002.

Dey D., Lahiri A., Should We Outlaw Ransomware Payments?, [in:] Proceedings of the 54th Hawaii International Conference on System Sciences, 2021, DOI: https://doi.org/10.24251/hicss.2021.794.

Falcao T., Michel B., Taxation of Cryptocurrencies, “SSRN Electronic Journal” 2022, DOI: https://doi.org/10.2139/ssrn.4193099.

Galinkin E., Winning the Ransomware Lottery: A Game-Theoretic Approach to Preventing Ransomware Attacks, [in:] Lecture Notes in Computer Science, 2021, DOI: https://doi.org/10.1007/978-3-030-90370-1_11.

Hoffman I., Kostrubiec J., Political Freedoms and Rights in Relation to the COVID-19 Pandemic in Poland and Hungary in a Comparative Legal Perspective, “Białostockie Studia Prawnicze” 2022, vol. 27(2), DOI: https://doi.org/10.15290/bsp.2022.27.02.02.

Karpiuk N., Blockchain as a Non-Standard Response to the Limitation of Positive Law in the Social Media Environment, “Studia Iuridica Lublinensia” 2021, vol. 30(5), DOI: https://doi.org/10.17951/sil.2021.30.5.295-307.

Kostrubiec J., The Role of Public Order Regulations as Acts of Local Law in the Performance of Tasks in the Field of Public Security by Local Self-government in Poland, “Lex localis – Journal of Local Self-Government” 2021, vol. 19(1), DOI: https://doi.org/10.4335/19.1.111-129(2021).

Kramer S., Bradfield J.C., A General Definition of Malware, “Journal in Computer Virology” 2009, vol. 6(2), DOI: https://doi.org/10.1007/s11416-009-0137-1.

Krivokapić Đ., Nikolić A., Legal Obligations and Liability in a Ransomware Attack, “Zbornik radova Kopaoničke škole prirodnog prava – Slobodan Perović” 2022, vol. 3.

Lee H., Choi K.-S., Interrelationship between Bitcoin, Ransomware, and Terrorist Activities: Criminal Opportunity Assessment via Cyber-Routine Activities Theoretical Framework, “Victims and Offenders” 2021, vol. 16(3), DOI: https://doi.org/10.1080/15564886.2020.1835764.

Leo P., Isik Ö., Muhly F., The Ransomware Dilemma, “MIT Sloan Management Review” 2022, vol. 63(4).

Liew J., Li R., Budavári T., Sharma A., Cryptocurrency Investing Examined, “Journal of the British Blockchain Association” 2019, vol. 2(2), DOI: https://doi.org/10.31585/jbba-2-2-(2)2019.

Mehra C., Sharma A.K., Sharma A., Elucidating Ransomware Attacks in Cyber-Security, “International Journal of Innovative Technology and Exploring Engineering” 2019, vol. 9(1), DOI: https://doi.org/10.35940/ijitee.A8106.119119.

Nadir I., Bakhshi T., Contemporary Cybercrime: A Taxonomy of Ransomware Threats and Mitigation Techniques, International Conference on Computing, Mathematics and Engineering Technologies (ICoMET) 2018, DOI: https://doi.org/10.1109/icomet.2018.8346329.

O’Kane P., Sezer S., Carlin D., Evolution of Ransomware, “IET Networks” 2018, vol. 7(5), DOI: https://doi.org/10.1049/iet-net.2017.0207.

Peters A., Jordan A., Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime, “Journal of National Security Law and Policy” 2020, vol. 10.

Putnik N., Milošević M., Cvetković V., Ransomware as a Security Threat: Social and Criminal Legislation Aspects, “Socioloski Pregled” 2022, vol. 56(1), DOI: https://doi.org/10.5937/socpreg56-36845.

Reshmi T.R., Information Security Breaches Due to Ransomware Attacks – a Systematic Literature Review, “International Journal of Information Management Data Insights” 2021, vol. 1(2), DOI: https://doi.org/10.1016/j.jjimei.2021.100013.

Smith G.S., Recognizing and Preparing Loss Estimates from Cyber-Attacks, “Information Systems Security” 2004, vol. 12(6), DOI: https://doi.org/10.1201/1086/44022.12.6.20040101/79786.8.

Spasenic Z., Milosavljevic M., Milanovic N., Project Financing of Renewable Energy Projects: A Bibliometric Analysis and Future Research Agenda, “Fresenius Environmental Bulletin” 2022, vol. 31(8).

Trimborn S., Li M., Härdle W.K., Investing with Cryptocurrencies – a Liquidity Constrained Investment Approach, “Journal of Financial Econometrics” 2019, vol. 18(2), DOI: https://doi.org/10.1093/jjfinec/nbz016.

Turner A.B., McCombie S., Uhlmann A.J., Discerning Payment Patterns in Bitcoin from Ransomware Attacks, “Journal of Money Laundering Control” 2020, vol. 23(3), DOI: https://doi.org/10.1108/jmlc-02-2020-0012.

Wang X., An B., Chan H., Who Should Pay the Cost: A Game-Theoretic Model for Government Subsidized Investments to Improve National Cybersecurity, [in:] Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, 2019, DOI: https://doi.org/10.24963/ijcai.2019/834.

Williamson D.T., Staley A.B., Ransomware: Tax Compliance Issues for a New Reality, “Tax Management Memorandum” 2017, vol. 58(12).

Xi D., O’Brien T.I., Irannezhad E., Investigating the Investment Behaviors in Cryptocurrency, “Journal of Alternative Investments” 2020, vol. 23(2), DOI: https://doi.org/10.3905/jai.2020.1.108.

Young A.L., Yung M., Cryptovirology, “Communications of the ACM” 2017, vol. 60(7), DOI: https://doi.org/10.1145/3097347.

Yuryna Connolly A., Borrion H., Reducing Ransomware Crime: Analysis of Victims’ Payment Decisions, “Computers and Security” 2022, vol. 119, DOI: https://doi.org/10.1016/j.cose.2022.102760.

Zimba A., Chishimba M., On the Economic Impact of Crypto-Ransomware Attacks: The State of the Art on Enterprise Systems, “European Journal for Security Research” 2019, vol. 4(1), DOI: https://doi.org/10.1007/s41125-019-00039-8.

ONLINE SOURCES

Claroty, The Global State of Industrial Cybersecurity 2021: Resilience Amid Disruption, 2021, https://security.claroty.com/report/global-state-industrial-cybersecurity-survey-2021 (access: 16.11.2022).

CoveWare, Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022, 28.7.2022, https://www.coveware.com/blog/2022/7/27/fewer-ransomware-victims-pay-as-medium-ransom-falls-in-q2-2022 (access: 15.11.2022).

Donovan F., CISOs Stockpile Cryptocurrency in Case of Ransomware Attack, 25.7.2018, https://healthitsecurity.com/news/cisos-stockpile-cryptocurrency-in-case-of-ransomware-attack (access: 16.11.2022).

Elam E., Wange B., Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms, 23.7.2022, https://www.databreaches.net/florida-follows-north-carolina-in-prohibiting-state-agencies-from-paying-ransoms (access: 16.11.2022).

European Union Agency for Cybersecurity, ENISA Threat Landscape 2021, https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021 (access: 27.10.2022).

Freed B., North Carolina Moves Toward Ban on Ransomware Payments, 14.5.2021, https://statescoop.com/north-carolina-moves-toward-ban-on-ransomware-payments (access: 16.11.2022).

International Accounting Standards Board, Conceptual Framework 2018, https://www.ifrs.org/projects/completed-projects/2018/conceptual-framework (access: 10.11.2022).

Labro T., Ransomware, la nouvelle doctrine française, 23.9.2022, https://paperjam.lu/article/ransomware-nouvelle-doctrine-f (access: 16.11.2022).

McKeith S., Australia to Consider Banning Paying of Ransoms to Cyber Criminals, 14.11.2022, https://www.reuters.com/technology/australia-consider-banning-paying-ransoms-cyber-criminals-2022-11-12 (access: 16.11.2022).

Pain D., Noordhoek D., Ransomware: An Insurance Market Perspective, July 2022, https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public/ransomware_web.pdf (access: 15.11.2022).

Ransomware Task Force, Combating Ransomware, 2021, https://securityandtechnology.org/wp-content/uploads/2021/09/IST-Ransomware-Task-Force-Report.pdf (access: 16.11.2022).

Rasch M., States Prohibit Ransomware Payments, 8.7.2022. https://securityboulevard.com/2022/07/states-prohibit-ransomware-payments (access: 16.11.2022).

Rauch S., The Rise of Ransomware in the Era of Covid-19, 28.10.2021, https://www.simplilearn.com/rise-of-ransomware-in-the-era-of-covid-article (access: 16.11.2022).

Republic Geodetic Authority (RGZ), IT infrastruktura RGZ meta intenzivnog hakerskog napada, 15.6.2022, https://www.rgz.gov.rs/vesti/5028/vest/it-infrastruktura-rgz-a-meta-intenzivnog-hakerskog-napada (access: 15.11.2022).

Slattery T., Kirrane G., How to Manage the Risk of a Ransomware Attack, 20.5.2021, https://www.ey.com/en_ie/cybersecurity/how-to-manage-the-risk-of-a-ransomware-attack (access: 17.10.2022).

Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, 21.9.2021, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf (access: 17.11.2022).

LEGAL ACTS

Conceptual Framework for Financial Reporting (consolidated text, 2018).

Criminal Code of the Republic of Serbia.

Law on Accounting and Auditing of the Republic of Serbia.

Law on Corporate Profit Tax of the Republic of Serbia.

Law on Digital Property of the Republic of Serbia.

Law on Information Security of the Republic of Serbia.

Law on Obligations of the Republic of Serbia.

Law on Personal Data Protection of the Republic of Serbia.

Law on Value Added Tax of the Republic of Serbia.

Rulebook on Chart of Accounts of the Republic of Serbia.

Rulebook on Value Added Tax of the Republic of Serbia.