We first published this alert in June 2021 and have updated it to take into account recent developments.

Introduction

A significant amount of our work at Cordery in the two or there years has been helping clients deal with ransomware attacks.  It’s never a pleasant experience.  We’ve set out some of our thoughts on the practical steps an organisation can take to prevent ransomware here www.bit.ly/cvransom.  We’ve also included some practical tips there for when a ransomware attacks occurs.

In many of the cases we’ve handled there’s a debate on whether the pay the ransom or not.  In this note we’ll look at the legal implications of paying a ransom.  Whilst we’ve looked only at the legal implications there are societal and reputational considerations too.  Some of these considerations are discussed by the No More Ransomware project here https://www.nomoreransom.org/.

How does a ransomware attack work?

A ransomware attack uses malware that encrypts or otherwise restricts access to computers, systems or data by exploiting system vulnerabilities.  The attackers demand that the victim pays money (usually in cryptocurrency such as Bitcoin or Monero) to receive the decryption key or recover access.

The main ways that a ransomware ‘payload’ can enter an organisation’s network are via:

  1. mimicking a user’s credentials to access the system or to move around the system once the criminals are in;
  2. an attachment to an email (usually framed as something important or “urgent”);
  3. web-browsing;
  4. what looks to be a voicemail message perhaps via social media;
  5. remote access and remote control applications (either on the company’s own systems or using lateral movement on shared systems); or
  6. removable media and personally owned devices.

The criminals usually exploit a vulnerability in the operating system or other installed software, which then starts the encryption process.

We have looked at this in more details in previous alerts such as www.bit.ly/cvransom and https://www.corderycompliance.com/data-breaches-and-transparency/.  In June 2021, we also interviewed Don Smith, Senior Director, Secureworks Counter Threat Unit™ about ransomware: https://www.corderycompliance.com/cordery-head-to-head-don-smith-ransomware/. More recently we have looked at the effects of the conflict in the Ukraine on ransomware.  You can read those thoughts here https://bit.ly/ukrwar.

The figures seem to support a continued rise in ransomware attacks.  There are some useful figures on breaches here https://www.blackfog.com/the-state-of-ransomware-in-2022/.  In March 2022, the UK’s DPA, the ICO, said that the number of cyber-related data breaches was up almost 20% over the past two years and they also highlighted issues around the Ukraine conflict.  The Chief of the UK’s National Cyber Security Centre (NCSC) has also said that ransomware was the key threat facing the UK and urged the public and business to take it seriously: https://www.ncsc.gov.uk/news/rusi-lecture.

What are the potential legal and commercial risks of paying ransoms?

Whilst committing a ransomware attack is clearly a criminal activity, in general, it is not a crime to pay a ransom demand in itself, unless the payer knows or reasonably suspects that there are connections with terrorism or that this would breach sanctions regimes.  However, paying a ransom can be a risky business for a number of reasons, including because:

  • You may not end up getting the data back – there is no guarantee that the hackers will actually hand over the key and release the data, and they may even keep asking for more money. A study by Blakes in Canada suggests that 9% of organisations who paid the ransom did not get a functional decryption key in return.  Even if the gang do hand over the keys, you’re unlikely to be able to restore everything.  Some experts say that 80% restoration is the best you can expect.  And if the keys work there is still a lot of effort involved in restoring servers and cleaning devices.  For example, even with a ransomware key the Irish health service has still needed support from Irish Defence Forces to restore systems.  Two months after the original attack it had still only restored 3,933 out of 4,891 servers and only cleaned 69,000 devices out of the 83,000 affected.  This was despite the support of an extra 850 personnel from the Irish Defence Forces and external consultants.
  • The attackers will be more likely to strike again – making payments will likely encourage further ransomware attacks, especially if the hackers know that their demands will be met. Some gangs will sell your details and/or their exploits for a return attack by someone else.  There is at least anecdotal evidence of subsequent ransom demands increasing as the threat actors additionally threaten to make public an earlier payment.  Where exfiltration has taken place then you might get a second demand to get the data back.
  • The attackers may learn more about your business and systems – in the process of negotiating with the hackers, you may unwittingly or under pressure disclose further information about your business and systems that could be exploited in future attacks.
  • The ransom payments ultimately fund criminal activity – ransomware is in part increasing because of the economics. Ransomware gangs can afford to pay for 0 day vulnerabilities and talent to make more attacks likely.  There’s sometimes a link with other organised crime activity too.
  • You can face fines / enforcement from data protection regulators – severe penalties may apply under data protection laws if personal data is compromised or unavailable and this is not managed correctly, i.e. making required breach notifications etc. Some DPAs may be more understanding if the ransomware demand is not met and the organisation cooperates with law enforcement. As an example the ICO, issued new guidance on ransomware in March 2022.  That guidance says “Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. The ICO supports this position.  You should also consider the terminology within the UK GDPR. It requires you to implement “appropriate measures” to restore the data in the event of a disaster. The ICO does not consider the payment of a ransom as an “appropriate measure” to restore personal data.”
  • You can face fines / enforcement from other regulators – if you are in a regulated industry you’ll likely still have to report the incident even if you pay. For example for a financial services organisation subject to FCA rules, the FCA’s position is that “you need to tell the FCA as soon as you know of ‘material’ cyber incidents which affect your firm.”  The FCA’s view is that a ransomware attack is likely to be reportable if malicious software is present on your information and IT systems even if you pay the ransom.  Substantial fines and other enforcement action may also apply if an incident is not handled properly.  There are a number of different sector specific regimes in play e.g. financial services institutions under FCA rules and operators of essential services and digital service providers under the Security of Network and Information Systems Directive (NIS Directive). See our article on the proposed NIS2 Directive here: https://www.corderycompliance.com/client-alert-nis-2-directive/ .
  • You could face criminal penalties under anti-bribery laws – in the UK, for example, there is an argument at least that a person making unlawful payments to a ‘foreign public official’ (e.g. in the case of state-sanctioned ransomware attacks) could be prosecuted under the Bribery Act 2010 (although this is yet to be fully tested).
  • You could contravene sanctions regimes – some foreign actors involved in ransomware attacks are subject to sanctions, so engaging with them may facilitate unlawful activity and breach sanctions regimes. This is even more likely with the sanctions regime being extended due to the Ukraine conflict to threat actors, banks and cyber exchanges (see https://bit.ly/ukrwar).  But Russia is not the only concern – see for example the sanctions for North Korea here https://www.gov.uk/government/publications/financial-sanctions-north-korea-democratic-peoples-republic-of-korea.  The BBC’s excellent Lazarus Heist podcast talks about North Korea’s involvement in ransomware here https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads.  Russian threat actors have been the subject of sanctions – for example in April 2021, the US imposed sanctions against 32 entities and officials involved in cybercrimes “and other acts of disinformation”.  The April 2021 sanctions were said to be partially in response to a number of cyber attacks including the SolarWinds attack.  Two of the organisations sanctioned in 2021 had also been sanctioned in 2016 and 2018.

In December 2019, the US Treasury Department’s Office of Foreign Asset Controls (OFAC) took action against Evil Corp, another Russian based gang and charged two of Evil Corp’s members with criminal violations.  They also announced a reward of up to $5m for the capture or conviction of Evil Corp’s leader.  Note that Evil Corp is not the same as the REvil gang although some individuals may be connected with both gangs.  In July 2020 the EU also imposed sanctions in response to the WannaCry, NotPetya, and Operation Cloud Hopper ransomware attacks.  Those sanctions cover individuals and organisations with connections to China, North Korea and Russia.

In September 2021, OFAC also added a currency exchange to its sanctions list.  SUEX (a.k.a. “SUCCESSFUL EXCHANGE”) a provider with a presence in both Russia and the Czech Republic was suspected of helping process ransomware payments.  So there is a risk that any payments made could involve sanctioned entities in the payment chain as well as the risk of sanctioned entities ultimately receiving the money.

There is an added problem with sanctions since attribution for ransomware is often difficult – how do you know who is behind the attack and where they are based?  How do you know where the money is going?  An IP address is unlikely to be a useful guide since ransomware attacks often use someone else’s IP address and agents could be based elsewhere.  For example, the Lazarus Heist podcast suggests that some North Korean state actors operate from China.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has also issued an updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments:  https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf

  • You could face criminal liability under terrorism laws – for example, the UK Terrorism Act 2000, includes offences in respect of any person who enters into a funding arrangement and knows or reasonably suspects it will or may be used for the purposes of terrorism and also for providing insurance against payments made in response to terrorist demands.
  • You could invalidate your insurance – paying the ransom may invalidate your cyber insurance policy, depending on the circumstances of the payment and the terms of your policy. If you are insured and the insurer does sanction a payment you can expect this to affect your insurance on renewal.
  • You could have difficulties with KYC or other obligations – you are not going to be able to do proper compliance checks or do other due diligence on anyone you are paying a ransom to. If you are subject to any form of KYC, due diligence or money laundering obligations, you are unlikely to be able to meet them.
  • It is hard to cover up a ransomware payment – ransomware attacks often become public either through gang activity or a growing number of bloggers and journalists covering ransomware attacks. Specialist sites like Ransomwhere also track payments made.

Will I still have to report an attack if I pay?

Almost certainly yes.  It is hard to rely on the word of a criminal organisation so you are unlikely to be able to argue that the breach is unlikely to result in a risk to the rights and freedoms of natural persons.  As a result, it is likely that the obligation to report to a DPA under GDPR Art. 33 will be triggered.

The ICO’s March 2022 Guidance supports that view.  It says If you do decide to pay the ransom to avoid the data being published, you should still presume that the data is compromised and take actions accordingly. For example, the attacker may still decide to publish the data, share the data offline with other attack groups or further exploit it for their own gains. You still need to consider how you will mitigate the risks to individuals even though you have paid the ransom fee.”

What about specific new laws to ban ransomware payments?

In part because of the threat to critical national infrastructure some ransomware attacks bring some countries are considering new laws specifically banning ransomware payments.  There’s a short film here discussing some of those proposals https://bit.ly/ransompayfilm. Our understanding is that currently the Biden administration is not in favour of a legal ban on ransom payments.  There have also been proposals for new legislation in Australia.  There seem to be as yet no plans to mirror this planned legislation in Europe.

What should you do if your organisation is faced with a ransomware attack?

From our experience specialist advice is key.  You should consider instructing lawyers used to dealing with ransomware attacks and specialist security advisors.  The nature of ransomware is changing rapidly so pick someone who understands the latest forms of attack.  Privilege may be important too.

Once you have the right team on-board you could consider taking steps to verify that the threat is genuine, including:

  • scanning your systems for vulnerabilities;
  • asking for proof that the hacker actually holds your data by asking for a sample of the ‘stolen’ dataset – sometimes hackers try it on and don’t actually have your data, so it can be worth checking;
  • quickly activating your data breach / security incident response plan;
  • where appropriate, promptly reporting the attack to the relevant law enforcement authorities – e.g. the police and the NCSC;
  • if the attack has resulted in personal data being compromised, promptly reporting the personal data breach to the relevant data protection regulator – this must generally done within 72 hours;
  • Notifying your insurers at the earliest opportunity. Some ransom payments may be recoverable under some policies, provided the correct process is followed.

There may also be reporting obligations under NIS (as mentioned above) and you may also have obligations to tell individuals who might be affected.  See our previous article which provides some further detail on some these points: https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/.

NCSC has jointly published an advisory on the technical aspects of remediation of ransomware attacks: https://us-cert.cisa.gov/ncas/alerts/aa20-245a.

What can you do to guard against a ransomware attack?

Some of the most effective preventative measures that you can put in place include ensuring that:

  1. appropriate technical and organisational security measures are implemented to protect data, that systems are constantly monitored for threats and that patches and security updates are promptly applied. This will include monitoring for attacks and for exfiltration,  protecting access rights and using multi-factor authentication (MFA);
  2. you have effective reporting procedures and internal policies/guidance specifically dealing with ransomware. This should include a prohibition on ransomware being paid without a proper consideration of the wider risks – consider if it is appropriate to reserve ransomware payments for senior sign-off only;
  3. you consider some of the issues regarding payment in advance. You may want to have board-level discussions.  Have a checklist, create a simple policy;
  4. you ensure that any ransomware payments meet your transparency obligations (see https://www.corderycompliance.com/data-breaches-and-transparency/). Misdescribing a ransomware payment could also have other consequences;
  5. staff have been properly trained in how to recognise ransomware, not to open suspicious attachments or links and what to do if a ransomware attack does happen. Rehearsing for an attack – for example by putting your people through the Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/) can help make sure you respond properly when an attack happens;
  6. you have in place a robust data breach response plan for dealing with the incident, which includes engaging key internal stakeholders and external experts in a timely manner. For privilege reasons you might want to have specialist lawyers and external experts on standby ready to respond;
  7. you regularly test your security and your data breach response plan; and
  8. you consider taking out cyber risk insurance (talk this through with your insurer or insurance broker).

Also, see our previous article, which provides some further detail on preventative measures: https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/.

Conclusion

In conclusion, very careful consideration needs to be given to paying a ransom request – in most cases this will not be advisable.  As ever, it is better to be proactive and invest in protecting your valuable data assets from cyber attack rather than having to take defensive action.

For more information

For more information please contact Jonathan Armstrong or Andre Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Some of the technical terms used in this note are explained at www.bit.ly/gdprwords

The NCSC has also issued more technical guidance on mitigating malware and ransomware attacks: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

There are more details of the Evil Corp sanctions here https://bit.ly/3dILmdh and more details of EU sanctions here https://bit.ly/2UGW6SS.

There are more details of payments made on the Ransomwhere site here https://ransomwhe.re/.

There are more details of the Blakes study in Canada at https://bit.ly/3ePXDNt.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
[email protected] [email protected]