We first published this alert in June 2021 and have updated it to take into account recent developments.
A significant amount of our work at Cordery in the last year or so has been helping clients deal with ransomware attacks. It’s never a pleasant experience. We’ve set out some of our thoughts on the practical steps an organisation can take to prevent ransomware here www.bit.ly/cvransom. We’ve also included some practical tips there for when a ransomware attacks occurs.
In many of the cases we’ve handled there’s a debate on whether the pay the ransom or not. In this note we’ll look at the legal implications of paying a ransom. Whilst we’ve looked only at the legal implications there are societal and reputational considerations too. Some of these considerations are discussed by the No More Ransomware project here https://www.nomoreransom.org/.
How does a ransomware attack work?
A ransomware attack uses malware that encrypts or otherwise restricts access to computers, systems or data by exploiting system vulnerabilities. The attackers demand that the victim pays money (usually in cryptocurrency such as Bitcoin or Monero) to receive the decryption key or recover access.
The main ways that a ransomware ‘payload’ can enter an organisation’s network are via:
- mimicking a user’s credentials to access the system or to move around the system once the criminals are in;
- an attachment to an email (usually framed as something important or “urgent”);
- what looks to be a voicemail message perhaps via social media;
- remote access and remote control applications (either on the company’s own systems or using lateral movement on shared systems); or
- removable media and personally owned devices.
The criminals usually exploit a vulnerability in the operating system or other installed software, which then starts the encryption process.
We have looked at this in more details in previous alerts such as www.bit.ly/cvransom and https://www.corderycompliance.com/data-breaches-and-transparency/. In June we also interviewed Don Smith, Senior Director, Secureworks Counter Threat Unit™ about ransomware: https://www.corderycompliance.com/cordery-head-to-head-don-smith-ransomware/.
The figures for the year to date seem to support a rise in ransomware attacks as compared to the same period last year: https://www.blackfog.com/the-state-of-ransomware-in-2021/. The Chief of the UK’s National Cyber Security Centre (NCSC) has also said that ransomware was the key threat facing the UK and urged the public and business to take it seriously: https://www.ncsc.gov.uk/news/rusi-lecture.
What are the potential legal and commercial risks of paying ransoms?
Whilst committing a ransomware attack is clearly a criminal activity, in general, it is not a crime to pay a ransom demand in itself, unless the payer knows or reasonably suspects that there are connections with terrorism or that this would breach sanctions regimes. However, paying a ransom can be a risky business for a number of reasons, including because:
- You may not end up getting the data back – there is no guarantee that the hackers will actually hand over the key and release the data, and they may even keep asking for more money. A recent study by Blakes in Canada suggests that 9% of organisations who paid the ransom did not get a functional decryption key in return. Even if the gang do hand over the keys you’re unlikely to be able to restore everything. Some experts say that 80% restoration is the best you can expect. And if the keys work there is still a lot of effort involved in restoring servers and cleaning devices. For example, even with a ransomware key the Irish health service has still needed support from Irish Defence Forces to restore systems. Two months after the original attack it had still only restored 3,933 out of 4,891 servers and only cleaned 69,000 devices out of the 83,000 affected. This was despite the support of an extra 850 personnel from the Irish Defence Forces and external consultants.
- The attackers will be more likely to strike again – making payments will likely encourage further ransomware attacks, especially if the hackers know that their demands will be met. Some gangs will sell your details and/or their exploits for a return attack by someone else. There is at least anecdotal evidence of subsequent ransom demands increasing as the threat actors additionally threaten to make public an earlier payment.
- The attackers may learn more about your business and systems – in the process of negotiating with the hackers, you may unwittingly or under pressure disclose further information about your business and systems that could be exploited in future attacks.
- The ransom payments ultimately fund criminal activity – ransomware is in part increasing because of the economics. Ransomware gangs can afford to pay for 0 day vulnerabilities and talent to make more attacks likely. There’s sometimes a link with other organised crime activity too.
- You can face fines / enforcement from data protection regulators – severe penalties may apply under data protection laws if personal data is compromised or unavailable and this is not managed correctly, i.e. making required breach notifications etc. Some DPAs may be more understanding if the ransomware demand is not met and the organisation cooperates with law enforcement.
- You can face fines / enforcement from other regulators – if you are in a regulated industry, substantial fines and other enforcement action may also apply if an incident is not handled properly, e.g. financial services institutions under FCA rules and operators of essential services and digital service providers under the Security of Network and Information Systems Directive (NIS Directive). See our article on the proposed NIS2 Directive: https://www.corderycompliance.com/client-alert-nis-2-directive/ .
- You could face criminal penalties under anti-bribery laws – in the UK, for example, there is an argument at least that a person making unlawful payments to a ‘foreign public official’ (e.g. in the case of state-sanctioned ransomware attacks) could be prosecuted under the Bribery Act 2010 (although this is yet to be fully tested).
- You could contravene sanctions regimes – some foreign actors involved in ransomware attacks are subject to sanctions, so engaging with them may facilitate unlawful activity and breach sanctions regimes – see for example the sanctions for North Korea here https://www.gov.uk/government/publications/financial-sanctions-north-korea-democratic-peoples-republic-of-korea. The BBC’s excellent Lazarus Heist podcast talks about North Korea’s involvement in ransomware here https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads. Russian threat actors are also the subject of sanctions – for example in April 2021, the US imposed sanctions against 32 entities and officials involved in cybercrimes “and other acts of disinformation”. The April 2021 sanctions were said to be partially in response to a number of cyber attacks including the SolarWinds attack. Two of the organisations sanctioned in 2021 had also been sanctioned in 2016 and 2018.
In December 2019, the US Treasury Department’s Office of Foreign Asset Controls (OFAC) took action against Evil Corp, another Russian based gang and charged two of Evil Corp’s members with criminal violations. They also announced a reward of up to $5m for the capture or conviction of Evil Corp’s leader. Note that Evil Corp is not the same as the REvil gang although some individuals may be connected with both gangs. In July 2020 the EU also imposed sanctions in response to the WannaCry, NotPetya, and Operation Cloud Hopper ransomware attacks. Those sanctions cover individuals and organisations with connections to China, North Korea and Russia.
In September 2021 OFAC also added a currency exchange to its sanctions list. SUEX (a.k.a. “SUCCESSFUL EXCHANGE”) a provider with a presence in both Russia and the Czech Republic was suspected of helping process ransomware payments. So there is a risk that any payments made could involve sanctioned entities in the payment chain as well as the risk of sanctioned entities ultimately receiving the money.
There is an added problem with sanctions since attribution for ransomware is often difficult – how do you know who is behind the attack and where they are based? An IP address is unlikely to be a useful guide since ransomware attacks often use someone else’s IP address and agents could be based elsewhere. For example, the Lazarus Heist podcast suggests that some North Korean state actors operate from China.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has also issued an updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf
- You could face criminal liability under terrorism laws – for example, the UK Terrorism Act 2000, includes offences in respect of any person who enters into a funding arrangement and knows or reasonably suspects it will or may be used for the purposes of terrorism and also for providing insurance against payments made in response to terrorist demands.
- You could invalidate your insurance – paying the ransom may invalidate your cyber insurance policy, depending on the circumstances of the payment and the terms of your policy. If you are insured and the insurer does sanction a payment you can expect this to affect your insurance on renewal.
- You could have difficulties with KYC or other obligations – you are not going to be able to do proper compliance checks or do other due diligence on anyone you are paying a ransom to. If you are subject to any form of KYC, due diligence or money laundering obligations, you are unlikely to be able to meet them.
- It is hard to cover up a ransomware payment – ransomware attacks often become public either through gang activity or a growing number of bloggers and journalists covering ransomware attacks. Specialist sites like Ransomwhere also track payments made.
What about specific new laws to ban ransomware payments?
In part because of the threat to critical national infrastructure some ransomware attacks bring some countries are considering new laws specifically banning ransomware payments. There’s a short film here discussing some of those proposals https://bit.ly/ransompayfilm. Our understanding is that currently the Biden administration is not in favour of a legal ban on ransom payments. There have also been proposals for new legislation in Australia. There seem to be as yet no plans to mirror this planned legislation in Europe.
What should you do if your organisation is faced with a ransomware attack?
From our experience specialist advice is key. You should consider instructing lawyers used to dealing with ransomware attacks and specialist security advisors. The nature of ransomware is changing rapidly so pick someone who understands the latest forms of attack. Privilege may be important too.
Once you have the right team on-board you could consider taking steps to verify that the threat is genuine, including:
- scanning your systems for vulnerabilities;
- asking for proof that the hacker actually holds your data by asking for a sample of the ‘stolen’ dataset – sometimes hackers try it on and don’t actually have your data, so it can be worth checking;
- quickly activating your data breach / security incident response plan;
- where appropriate, promptly reporting the attack to the relevant law enforcement authorities – e.g. the police and the National Cyber Security Centre (NCSC);
- if the attack has resulted in personal data being compromised, promptly reporting the personal data breach to the relevant data protection regulator – this must generally done within 72 hours. The UK’s regulator, the Information Commissioner’s Office (ICO) has the following brief guidance on reporting cyberattacks. The ICO is expected to publish specific guidance on ransomware and incident response shortly, so keep an eye out for this;
- Notifying your insurers at the earliest opportunity. (Ransom payments may be recoverable under some policies, provided the correct process is followed).
There may also be reporting obligations under NIS (as mentioned above) and you may also have obligations to tell individuals who might be affected. See our previous article which provides some further detail on some these points: https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/.
NCSC has jointly published an advisory on the technical aspects of remediation of ransomware attacks: https://us-cert.cisa.gov/ncas/alerts/aa20-245a.
What can you do to guard against a ransomware attack?
Some of the most effective preventative measures that you can put in place include ensuring that:
- appropriate technical and organisational security measures are implemented to protect data, that systems are constantly monitored for threats and that patches and security updates are promptly applied;
- you have effective reporting procedures and internal policies/guidance specifically dealing with ransomware. This should include a prohibition on ransomware being paid without a proper consideration of the wider risks – consider if it is appropriate to reserve ransomware payments for senior sign-off only;
- you ensure that any ransomware payments meet your transparency obligations (see https://www.corderycompliance.com/data-breaches-and-transparency/). Misdescribing a ransomware payment could also have other consequences;
- staff have been properly trained in how to recognise ransomware, not to open suspicious attachments or links and what to do if a ransomware attack does happen. Rehearsing for an attack – for example by putting your people through the Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/) can help make sure you respond properly when an attack happens;
- you have in place a robust data breach response plan for dealing with the incident, which includes engaging key internal stakeholders and external experts in a timely manner. For privilege reasons you might want to have specialist lawyers and external experts on standby ready to respond;
- you regularly test your security and your data breach response plan; and
- you consider taking out cyber risk insurance (talk this through with your insurer or insurance broker).
Also, see our previous article, which provides some further detail on preventative measures: https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/.
In conclusion, very careful consideration needs to be given to paying a ransom request – in most cases this will not be advisable. As ever, it is better to be proactive and invest in protecting your valuable data assets from cyber attack rather than having to take defensive action.
For more information
For more information please contact Katherine Eyres or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
The NCSC has also issued more technical guidance on mitigating malware and ransomware attacks: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
There are more details of payments made on the Ransomwhere site here https://ransomwhe.re/.
There are more details of the Blakes study in Canada at https://bit.ly/3ePXDNt.
30 Farringdon Street,
London EC4A 4HH
30 Farringdon Street,
London EC4A 4HH
|Office: +44 (0)207 075 1784||Office: +44 (0)20 7075 1786|