Cyber-criminal ransomware demands – to pay or not to pay?
The question of paying cyber-criminal gangs following a ransomware attack has seen the Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC) in the United Kingdom join forces to set out their advice to victims.
Under English law the payment of a ransom is not illegal or unlawful, however, the ICO has made it clear it supports the law enforcement stance which does not encourage, endorse, nor condone the payment of ransom demands. The ICO and NCSC sent a joint letter to the Law Society in the UK urging its members affected by attacks not to pay a ransom,
This is a worldwide dilemma with the American Cybersecurity and Infrastructure Security Agency (CISA) and the FBI this week warning a prolific ransomware gang has hit over 100 organisations around the world and claimed over Euros 57 million ($60 million) in payments. The Cuba ransomware attacks are targeting critical infrastructure, financial services, healthcare, information technology, government services and more. The alert notes that despite the name, the ransomware gang doesn't have any connection to the country of Cuba.
The group engages in double extortion attacks, not only encrypting data and demanding a ransom, but also making threats to release data stolen from the victim if a ransom – demanded in Bitcoin – isn't paid.
The NCSC points out that payment does not guarantee access to your data and your computer will still be infected. Any payment will go to a criminal group raising the likelihood you will be targeted in future while any party contemplating paying a ransom will need to be satisfied that action complies with the relevant criminal, civil and regulatory regimes.
The imposition of wide ranging sanctions imposed on Russia following its invasion of Ukraine includes Russian institutions and individuals. Any party contemplating making a payment to a ransomware group will need to make extensive enquiries in order to ensure that the sanctions regime is not being breached as a number of groups associated with ransomware attacks have been traced to Russia.
The issue of ransomware payment has been addressed by the Lloyd’s Market Association in their “Guidance for handling a ransomware incident”. It states that steps taken by insureds to maximise cyber resilience, showing investment in security and training in related areas, plus an open dialogue with regulators in the event of a ransomware incident, may help mitigate exposure.
Anyone involved in responding to, or facilitating a response to, a ransomware attack should have robust risk-based compliance programmes and protocols in place to avoid breaching sanctions. When an insured seeks reimbursement or consent from insurers to make a ransom payment, the insured will be expected to provide the following confirmation that, after having undertaken such due diligence as the circumstances allow, they have:
· considered any mandatory requirements to notify law enforcement or relevant regulators;
· have no reasonable cause to believe that the ransom payment will be made to a terrorist or terrorist organisation or to further a terrorist purpose;
· have carried out sanctions checks against the lists maintained by relevant Enforcement Agencies;
· have no reasonable cause to believe that the ransom payment is being made to any sanctioned party.
Sufficient information should be provided to insurers to enable insurers to consider any obligations they may have under applicable laws and regulations, including any obligations they have to notify relevant Enforcement Agencies.
In their advice on how to deal with the growing international ransomware threat, the ICO does not support the view that implementing “appropriate measures” to restore the data includes the payment of a ransom.
The ICO says: ”Appropriate measures include threat assessments, risk assessments and controls such as offline and segregated backups. If you can demonstrate appropriate measures in accordance with the state of the art, cost and risk of processing then you will be able to demonstrate “appropriate measures” and comply with those aspects of the UK GDPR.
“If attackers have exfiltrated the personal data, then you have effectively lost control over that data. This means individuals have lost the protections and rights provided by the UK GDPR. For example, transparency of processing or subject access rights. For this reason, we do not view the payment of the ransom as an effective mitigation measure.”
A strategically delivered W Denis Europe insurance policy will help minimise business disruption during a cyber incident and its aftermath, as well as potentially covering the financial costs of some elements of dealing with the attack and recovering from it. For further information visit www.wdenis.eu or contact Vida Jarašiūnaitė Vida.Jarasiunaite@wdenis.eu or Mark Dutton firstname.lastname@example.org