Between a rock and a hard placea very bad Rolling Stones song, and a place ransomware victims and their insurers may be finding themselves in soon. On Oct. 1, the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) in the U.S. Department of the Treasury collectively issued a pair of advisories warning ransomware victims, their insurers, and their incident response teams of potential sanctions for facilitating a ransomware payment.

The FinCEN Advisory identifies which corporate officers and employees should receive the advisory, effectively placing those individuals on notice as to their responsibility for an organization’s “sanctions compliance program.” The OFAC Advisory warns against “engaging in transactions, directly or indirectly, with individuals or entities (‘persons’) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.”