The US Treasury is warning businesses who pay ransomware attackers that they could be violating anti-money laundering and sanctions regulations. Their arguments have been supported by organisations like the Financial Crimes Enforcement Network and the Office of Foreign Assets. Instead, companies should take a risk-based compliance approach. The government said: “This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments.”