Ransomware attacks continue to be the most serious cyber threat facing UK organisations today.

This reflects the global position, with NCC Group reporting that global ransomware attacks rose by 84% last year. These attacks involve a threat actor accessing an organisation’s network (often by initial phishing attack), planting malware, and encrypting all or part of the network so the victim is unable to access their systems. The threat actor will also usually seek to steal caches of data from the victim’s systems at the same time. The threat actor then offers to decrypt the network and reinstate the victim’s access to their systems and/or return stolen data in return for payment of a ransom. Commonly, victims will be threatened with publication of their data on the dark web if they fail to make payment.

In the midst of that febrile environment, many organisations will inevitably ask themselves the question: should we pay the ransom? The response from the ICO and the National Cyber Security Centre (NCSC) has typically been, “no”. The legal profession has also been specifically encouraged not to advise clients to pay ransomware demands in the event of a cyber attack.

There are a number of reasons for this:

1. Paying money to criminal organisations can expose an organisation to a number of legal and regulatory risks (money laundering, terrorist financing, bribery etc).
2. Payment is no guarantee that the threat actor will fulfil their side of the bargain. Threat attackers vary in their methodology.  Our recent experience tells us that some will publish the data regardless, or sell it to another party, or continue to refuse to decrypt systems (sometimes seeking additional payment to do so).
3. Even if the threat actor decrypts the system and agrees not to share the stolen data, the organisation has still lost control of the data, and is therefore still liable to regulatory action. Clearly, assurances from a criminal actor hold little weight with the ICO, which has been clear that payment of a ransom will not be considered an appropriate response to a cyber breach.
4. There is some evidence that payment on one occasion increases the victim’s chances of being targeted again in the future.
5. If organisations continue to pay ransoms, this reinforces the ransom business model. The percentage of organisations that pay ransoms is not known, but clearly the prevalence of ransomware attacks reflects a confidence that the prospects of obtaining payment are worth the investment.

Three major UK insurance associations have collaborated with the NCSC to publish guidance which seeks to improve market-wide ransomware discipline, with the ultimate aim of undermining the profitability of the ransom business model. The guidance also offers some tips on minimising the disruption caused by ransomware attacks.

Some of the key considerations outlined in the guidance include:

• Review alternatives to paying: can you restore systems from a back up or access decryption keys from third parties such as law enforcement?
• Consult cyber incident response (CIR) companies to help manage the technical response.
• If you have cyber insurance (or, we would add, business interruption insurance), notify your insurer. They may also be able to recommend CIR companies.
• Assess the workarounds available to minimise disruption and how long these can be sustained.
• Understand what data has been affected and verify, to the best of your ability, what the threat actor is claiming in terms of the data which has been stolen.
• Conduct a cost analysis of your options (including business disruption, security improvement work, staff time, legal expenses, regulatory penalties etc).
• Remember that the value of the ransom is usually negotiable.

There have been calls to further tighten up the UK’s approach to ransom attacks by requiring victims to report all ransomware attacks and obtain a license before making any payments.  We understand that these proposals will be consulted upon in the near future, so watch this space for any updates.

At Burness Paull, our expert cyber team understand how challenging and disruptive cyber breaches can be to businesses and the consequences that can flow from them. Whatever the nature, size or stage of the issue, we can help clients to manage their response or, better still, work with them on preventative strategies to mitigate the risk of them occurring.

Related News, Insights & Events