Russian Companies Offset Tax with Cyberattack Ransoms

Trust Bloomberg Tax for the international news and analysis to navigate the complex tax treaty networks and global business regulations.

By Natalia Suvorova

Companies that chose to pay ransoms to computer malware in the course of a major cyberattack in Russia and Ukraine can use the payments to reduce their corporate income tax, practitioners told Bloomberg BNA.

However, it may prove difficult for businesses to collect enough documents to make a convincing case to the tax authorities.

On June 27, more than 80 companies in Russia and Ukraine came under a cyberattack of an unprecedented scale. Other organizations were also disrupted across the globe. The organizations were attacked by malicious encryption software Petya, which spread through the tax accounting software developed by Ukranian company M.E.Doc. The malware encrypted computer files and required a payment of $300 in cryptocurrency to restore access to them.

Among those affected, according to computer forensics company Group-IB, were Ukrainian telecom operators, banks, and state enterprises including Ukrtelecom, railroad corporation Ukrzaliznytsia and the federal postal service. In Russia, among the affected were oil giants Rosneft and Bashneft.

Rosneft did not respond to a request for comment from Bloomberg BNA.

Malicious Software

The computer virus neither provided the attackers any access to the financial statements of the companies nor had the capabilities to remotely manage or copy the data, says Sergey Nikitin, deputy head of the Laboratory for Computer Forensics at Group-IB, a Moscow-based computer forensics company that identified the ransomware.

The M.E.Doc program “is common for all legal entities in Ukraine. The virus “flew” with an update of this program—hence the scale of infection in that country, including some government organizations,” Nikitin told Bloomberg BNA in a June 30 email.

According to Nikitin, the attackers only collected around $10,000 from 45 transactions in bitcoins. However, it remains unclear how many companies chose to pay the ransom.

“There is no way to establish whether this was from one or several companies. Theoretically, one company could pay several times,” the expert said.

He noted that to avoid exposure, it is unlikely the attackers would use the funds, given the wide media attention around by the cyberattack.

Deductible Ransom

Russian law provides for opportunities to consider a ransom paid to a computer malware as extraordinary expenses, thus enabling the taxpayer to reduce their amount of corporate income tax, says Aleksey Gatin, managing partner at Moscow-based Law and Taxes.

In an interview with Bloomberg BNA, Gatin said Article 265 of the Russian Tax Code allows companies to reduce the sum of taxable profits by extraordinary expenses if losses arise from the acts whose perpetrators are not established.

“To do this, the taxpayer must provide documents to the authorities proving that some persons committed the crime whose perpetrator is unknown,” Gatin told Bloomberg BNA by phone on June 30.

According to the practitioner, the tax authorities would be unwilling to take these expenses into account without convincing arguments. During tax inspections, the authorities tend to scrutinize the documents that justify companies’ expenses, including the expenses on software products, online resources, and digital applications, Gatin said.

“It is clear that the tax authority are likely to refuse to take into account extra expenses to reduce taxable profits. But I think that the court in such case would take the taxpayer’s side,” Gatin added.

Paying ransom to the malicious software program can be considered a business expense, but taxpayers may find it difficult to support their arguments with documentation, says Dmitry Kostalgin, managing partner at Tadvisor, a tax-consulting firm.

“The problem is that the intruders do not leave any bills or other primary documentation. One can try, of course, to submit payment slips and certificates of the computer examination [as a proof there was a cyberattack],” Kostalgin told Bloomberg BNA in a June 29 email.

To decrease the tax base by the sun of the ransom, tax authorities are likely to require the computer to be examined by an independent specialist, Kostalgin said. Eventually, this is going to cost the company a disproportionate amount of time and money, the practitioner said.

To contact the editor reporter on this story: Natalia Suvorova at

To contact the editor responsible for this story: Penny Sukhraj at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request International Tax