(no title)

There are cases covering a justifiable use of force because intentionally killing or harming a person is illegal, and self-defense is a defense against those charges.

It's normally perfectly legal to pay someone whatever you want. You don't need a defense against something that's not a crime. There's no conflict in paying a ransom, so there's no case law.

Regarding OFAC, as your link points out:

> One issue is that victim organizations are required to check the list of sanctioned entities; however, many times the true identity of the cybercriminals are not known.

I'm guessing there's no case law regarding paying ransoms to SDNs because nobody has an identity they can check.

But do we need case law when OFAC says:

> OFAC will consider a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining the enforcement outcome if the situation is determined to have a sanctions nexus.

If someone wanted to make a law against paying ransom, it would be quite novel and courts would have to look for applicable doctrine. I think the doctrine of self-defense would be a roadblock.