Ransomware demands – should you pay up to save your business in the face of growing state disapproval?

A ransomware attack is the worst nightmare of many business leaders. If systems are insufficiently backed up or protected, an organisation’s entire IT network can be compromised within hours, if not minutes.

Ransomware is a type of malware that encrypts files on a host computer system. Once a threat actor has gained access to computer systems and delivered the ransomware into the network, it encrypts (or more rarely deletes) all data stored on the system. Ransomware generally spreads through the network, exploiting all available security gaps to maximise the volume of encrypted data. The threat actor will then send a ransom note to the operator of the affected system, demanding payment, usually in bitcoin, in exchange for the decryption keys that will release their data. As well as holding data hostage, the threat actor will usually threaten to release the data (which may be confidential or sensitive) to the dark web.

Conflicting pressures

As the perpetrators of ransomware attacks grow in strength and sophistication, governments around the world are becoming more interested in the use to which such criminals put their ill-gotten gains. Increasingly, organisations are faced with the dilemma of refusing to engage with threat actors and suffering huge or even fatal losses, or paying a ransom and risking investigation for supporting organised crime and potentially sanctioned groups or individuals.

The more advanced threat actors have have developed branding and messaging to accompany their demands. It is often impossible to keep a ransomware attack secret as the threat actor group will often set up a new website identifying their corporate victim, complete with a countdown to the ransom deadline. The added attention from customers, shareholders and the press increases the pressure to negotiate and ultimately to pay up.

But who is on the receiving end of a ransom payment? One of the many problems with ransom payment, aside from the fundamental ethical challenge, is the fact that there is no way to know whether the recipient is subject to state sanctions. Government sponsored cyber terrorism is nothing new and it is virtually impossible to prove that a ransom demand does not come from an organisation with connections to a hostile state.

Ambiguity in the UK

In the UK, HM Treasury publishes a list of individuals who are subject to sanctions – including those sanctioned specifically for cyber activities - but there is little support for organisations to identify links between the source of a ransom demand and sanctioned groups or individuals. In July 2022 the UK’s National Cyber Security Centre together with the UK data regulator (the Information Commissioner’s Office) published an open letter to UK lawyers, warning them against advising clients in favour of paying ransoms. The letter states:

“Law Enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance - may change that position”.

The ICO also specifically addressed the fact that ransom payments could prevent further data compromise:

“the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action”.

The UK's Parliamentary Joint Committee on the National Security Strategy launched a call for evidence on ransomware in November 2022.  It is seeking views on the nature and extent of ransomware threats, how they are deployed and how they are likely to develop.  Information is also sought on the level of vulnerability and preparedness of organisations, and as to whether government response and those of other stakeholders like the ICO, are appropriate or reforms are needed.  It will be interesting to see whether new legislation is recommended in this area.

A firm line from the US Department of the Treasury

In May 2021, President Biden had further strengthened the US response to cybercrime in an Executive Order which made significant demands of the public sector but notably requires IT Service Providers (including cloud providers) to share cyberattack information with government departments and agencies.

Sanctions and increased activity from Russian groups in the context of the war in Ukraine is not the only trigger for increased government interest in cybercrime. In September 2021,

The US Treasury published an advisory note on ransom payment in light of increased attacks taking advantage of changes to working practices caused by the COVID-19 pandemic.

The Treasury guidance identifies a number of groups with sponsorship from sanctioned states that have been responsible for significant cyberattacks in recent years. The guidance strongly advises that US companies hit with a ransomware attack liaise with law enforcement bodies.

When deciding whether to take enforcement action for payment of a ransom to a sanctioned entity, the OFAC (the Office of Foreign Assets Control) will consider engagement with law enforcement to be a mitigating factor. Other notable mitigating factors include having taken reasonable and recommended precautions to guard against the risk of attack and the existence, nature, and adequacy of a sanctions compliance program. However, it is unclear how helpful these mitigating factors will be if a company knowingly pays a ransom to a sanctioned entity, as opposed to making a payment without knowledge of the sanctioned status of the threat actor.

An international trend

The UK and US are far from the only countries exhibiting a strong interest in ransom payments and their potential to support sanctioned individuals and groups.

Australia’s approach is notable as the country has long had very firm messaging against ransom payments. After experiencing a number of high profile ransomware attacks in recent years Australia has moved to align with the US and further toughen its stance.

The Australian Cyber Security Center strongly advises against making ransom payments but despite this, forensics specialists Crowdstrike estimated that a third of Australian ransomware victims during 2020 paid the ransom. The Australian government has twice introduced draft legislation to the payment of ransoms in cyberattacks. So far nothing has been passed but the government shows no sign of dropping the issue as part of its Ransomware Action Plan.

Governments are not, however, looking at this issue in isolation.  International cooperation on the issue of ransomware was a focus of the recent second International Counter Ransomware Initiative Summit.  36 countries including the UK and US as well as the EU committed to developing coordinated guidelines on preventing and responding to ransomware attacks. There are plans to establish an International Counter Ransomware Taskforce to share knowledge and resources, and to coordinate on enforcement in line with national law and policy.

An impossible choice?

To date there have been no publicised cases in the UK of organisations facing penalties for sanction busting through payment of a cyber ransom but the threat will give some organisations pause for thought, particularly if payment of a ransom will not be accepted as a risk-reduction factor by the ICO (even if the payment does actually reduce the risk of further data compromise). However, for most organisations the main factor will be whether making a payment will enable the restoration of services and recovery of the business.

If there is no evidence of connection to a sanctioned group, the decision to make a payment is financial, and possibly ethical, rather than legal, but a quick internet search will not be sufficient to determine whether a threat actor is subject to sanctions. To have any confidence in the decision to pay a ransom, organisations will need to engage specialist IT support with ransomware expertise. If possible such support should be engaged through external lawyers to preserve privilege in the advice as far as possible. While lawyers cannot (and would not) advise in favour of a ransom payment, they can provide invaluable support in establishing the level of risk to which a payment would expose an organisation and its leadership.

Decisions on whether to engage with the perpetrators of ransomware attacks are becoming harder as the ransoms are rising higher and insurance is difficult and expensive to obtain (and often will not cover ransom payments themselves – see here for more).

While the decision to pay or not cannot be made in advance, there is a lot that organisations can do to reduce the risk of an attack and the damage it causes if it happens. To learn more about breach response and preparedness please visit our Breach Ready page for more resources.