Ransomware is rocketing — but should you pay it?

According to a recent NCSC report focusing on how AI will impact the efficacy of cyber operations, it is suggested that AI will almost certainly boost the volume and impact of cyber-attacks over the next two years by removing barriers for novice hackers. With ransomware attacks set to rocket, whether to pay a ransom or not is always going to be a difficult call, but being prepared and asking if you should pay said ransom goes a long way.

CyXcel’s Michela Resta explores some key considerations around choosing whether to pay a ransom.

What is ransomware?

Ransomware combines extortion with malware. It is a type of malicious software that is specifically designed to disrupt, damage and gain unauthorised access to a computer system. It then prevents an organisation or individual from accessing their devices and the data stored on them. The criminal or threat actor group using the ransomware will then demand a ransom in exchange for decryption and access back to the data. This can be an alarming time for the business and have a catastrophic impact on the organisation if not handled correctly.

Legal implications — will I be in hot water if I pay a ransom?

The Information Commissioner’s Office and National Cyber Security Centre have made it clear that they do not encourage, endorse, or condone the paying of ransoms. It is not (currently) illegal per se to pay a ransom, however. There are a number of potential criminal pitfalls if you are not careful in your approach. Money laundering, terrorist financing, and international sanctions rules all apply to ransom payments. The penalties for breaching these rules can include civil enforcement as well as criminal punishment. Many offences under these rules operate on the basis of “Reasonable cause”, which is a lower threshold than actual knowledge. Extremely careful assessment, due diligence, and advice is therefore required before taking any step (such as the transfer of money) which might breach any such laws.

What about engaging with the threat actor without intending to pay?

There are many good reasons to do so, including the gathering of intelligence, “proof of life”, and for negotiation. But any contact with the threat actor needs to be handled extremely carefully. Professional ransomware negotiators are experienced and equipped with threat actor-specific intelligence, which can be integral in an engagement strategy whilst dealing with the fallout from a ransomware attack.

No such thing as an honest crook?

Increasingly over recent years, as organisations more regularly have secure backups to aid their recovery and reduce the temptation to pay ransoms, cyber-attacks have seen the exfiltration (as well as or instead of) encryption of data. Rather than extorting payment for a decryption key, the threats made are to publish sensitive personal and/or commercial data.

The position of law enforcement and regulators is clear: paying a ransom in no way mitigates the risk (which is relevant to notification obligations under UK GDPR).

There are good reasons why this is so. The threat actors are criminals. They are, in the main (ignoring so called ‘ethical’ hackers) motivated by financial reward. There is very little, if any, guarantee that a threat actor will honour their ‘promise’ to delete exfiltrated data upon payment of a ransom. In encryption cases, double extortion is a real risk: “pay me for the encryption key”, says the threat actor. And then: “pay me again or I’ll publish the data I stole”.

Threat actors operate in networks of affiliates. The group demanding the ransom probably isn’t the group who executed the attack. The group who executed the attack probably isn’t the group who identified the vulnerability, and so on. It is therefore simply not possible to assume that, if one group says they have deleted your data, the data isn’t still in the hands of another threat actor within the cyber-crime ecosystem.

Reputation — what are the optics?

Whist a large data breach and leaking of customers’ and employees’ data on the dark web has a negative reputational impact, a company must consider the wider reputational damage of negotiating with and paying criminals. Organisations will need to think about whether paying a large sum of money to criminals is something they can justify and explain publicly if ever needed.

In addition, the act of paying a ransom to the threat actor will likely register you as a victim who is willing to pay. In turn, this will only encourage further attacks from the same, or other, organised criminal groups.

Ethics

Ransom payments are the oxygen that keep cyber-crime groups alive. Funding helps them to reinvest into their own research and development. This will then encourage further attacks and fund organised crime groups that could expand further than the cybercriminal realm.

What to do?

The first step is always to take measures to prevent and protect against a ransomware attack. In the first instance, this is done by educating employees on good cyber hygiene and teaching them how to spot phishing attacks and social engineering, for example. Arming employees with the knowledge and skills to verify sender email addresses and where a link actually navigates to can go a long way to protecting systems being exploited in the first place.

You also need to consider best practice, governance, and secure technical configurations within your environment. Should a threat actor get past your initial line of defence, there needs to be in place rapid alerting and monitoring to halt access rights being elevated.

Lastly, well-rehearsed incident response plans to quickly contain the attack are needed. However, if you are faced with the question “to pay or not to pay”, CyXcel can help. CyXcel is a specialist digital transformation and cybersecurity consulting business wholly owned by Weightmans LLP. We uniquely combine legal, technical and crisis management expertise in one provider, providing advice through all stages of an attack, to protect you and your business.