NCSC and ICO issue stark warning on ransoms
"Criminalising ransom payments could shift the focus of criminality from the perpetrator to the victim."
The heads of the UK’s National Cyber Security Centre and Information Commissioner’s Office have written to the Law Society in a bid to stop lawyers’ clients making ransom payments in malware attacks.
In their letter, Information Commissioner John Edwards and NCSC chief exec Lindy Cameron made a not-so-subtle threat that, if companies continue to pay out ransoms they may face legal trouble. This might be for sanctions-busting, if payments go to a proscribed country, or for failing in their duty to safeguard their data.
“While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position… UK data protection law requires organisations to take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident,” said the joint letter.
“For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”
See also: Fake faces, domain squatting and file sharers: Ransomware access broker’s TTPs revealed
The letter said the ICO would see other actions as mitigating risk, including: notifying the NCSC and Action Fraud; evidence organisations have complied with NCSC guidance, and when organisations; and evidence organisations “have taken steps to fully understand what has happened and learn from it”.
A survey of 2021 ransomware incidents by Proofpoint found 82% of UK businesses hit by ransomware made ransom payments, compared to a global average of 58%. The survey also claimed only 4% of those who paid up actually got access to their data.
The ICO and NCSC letter noted neither body shares information on specific incidents with regulators without permission, but does share “information on strategic trends”.
“We are keen to engage and work with you, and, through you the profession, to ensure there is understanding and clarity about the cyber security standards we expect organisations to follow when they have been a victim of a cyber attack. This engagement is already well supported by the Insurance Trust Group,” the letter added.
Criminalising ransom payments: law of unintended consequences?
The possible criminalisation of ransom payments could have the perverse effect of making ransomware even more profitable than it is already, warned Charl van der Walt, head of security research at Orange Cyberdefense, in a statement to The Stack.
“On one hand, ransom payments essentially fund cybercrime. Paying out leads to more attacks and there is no guarantee that hackers will release the data after receiving payment. It could even result in further demands.
“However, criminalising ransom payments could shift the focus of criminality from the perpetrator to the victim, and set off a chain of unintended consequences, such as a reluctance to report breaches. Combined, this could force the issue underground and make the practice more lucrative for cybercriminals,” said van der Walt.
“Whether criminalised or not, it is undoubtable that businesses should not pay the ransom demanded of them,” he concluded.