The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have joined forces to call on the legal profession to stop advising organisations to pay off ransomware demands.
In a letter to the Law Society, the NCSC and the ICO said there was clear evidence of a rising number of organisations making ransomware payments, some of them on the advice of legal professionals acting on the erroneous belief that doing so will preserve the integrity of their data, or lead to lesser penalties from the ICO should the regulator become involved.
The letter notes the very clear NCSC guidance that paying ransomware gangs guarantees nothing, and reaffirms that the belief that the ICO views ransom payments as a mitigating factor is completely false. It urges the Law Society to remind its members of this, as some legal practitioners are clearly giving inaccurate advice and putting their clients at risk. “Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations,” said NCSC CEO Lindy Cameron.
“Unfortunately, we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend. Cyber security is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”
Information commissioner John Edwards added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cyber crime costing UK firms billions over the past five years,” he said. “The response to that must be vigilance, good cyber hygiene – including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”
Current ICO policy does recognise when organisations have taken steps to fully understand what has happened in the course of a ransomware attack, learned from their experience, and can evidence that if appropriate, they have raised the incident with the NCSC and can demonstrate compliance with its guidance – current NCSC advice can be accessed here, and the ICO has published similar guidance.
Ransomware attacks or other forms of cyber crime should in any case be reported via Action Fraud’s hotline – 0300 123 2040 – to the ICO in the case of GDPR-relevant data breaches, or the NCSC for major cyber incidents.
Charl van der Walt, head of security research at Orange Cyberdefense, said it was time to revisit the idea of regulating, if not banning outright, the payment of ransoms to cyber criminals. “If victims keep paying the ransoms demanded of them by cyber criminals, there is no reason to believe that the ransomware crime wave will abate,” said van der Walt.
“As Mr Edwards presciently points out, there is not just the impact on individual businesses to consider, but also broader societal harm. Crime theory teaches us that to tackle crime we must demotivate the offender, which, in this case, means cutting off their flow of money.
“However, because there is no legal barrier to victims claiming ransom payments back on cyber insurance, they are in some ways being incentivised to pay. Therefore, it is worth evaluating the pros and cons of regulating these payments.”
Van der Walt said that while it is clear that ransom payments fund further attacks and bring no guarantees vis-à-vis data recovery, over-regulation or criminalisation of payments risked shifting the focus of criminality to the victim, and could make organisations reluctant to report incidents and force ransomware deeper underground.
However, he added, whether criminalised or not, there was no question that victims should not pay a ransom.