Businesses are being urged not to pay cyber extortionists as authorities say they are seeing evidence of a rise in ransomware payments.
In a joint letter to the Law Society, the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office are warning solicitors who may have been advising their clients to pay.
It follows earlier this year cyber security experts from the UK, US, and Australia warning of a “growing wave of increasingly sophisticated ransomware attacks” which could have “devastating consequences”.
The joint letter states that while ransomware payments are “not unusually unlawful” those who pay them “should be mindful of how relevant sanctions regimes (particularly those related to Russia)” when considering making the payment.
The US sanctioned in December 2019 any financial dealings with a Russian cyber crime group that was accused of working with with Russian intelligence to steal classified government documents.
Ransomware is type of malware (malicious software) that attackers can deploy on a victim’s computer network to encrypt their files and make their devices unusable.
With modern ransomware attacks, the criminals then extort the victim to pay huge sums of money, often in Bitcoin and sometimes worth millions of pounds, to decrypt their files and make them accessible again.
But the criminal system involved – featuring skilled networks of individuals specialised in their particular roles – has developed a multi-faceted extortion model which involves stealing sensitive files and threatening to release them online in case victims are able to recover their files from unencrypted backups, or simply refuse to pay.
If published, these files, which can relate to sensitive business deals or may include customer information, could damage the victim company’s reputation, impact their share price, or potentially even lead to a class-action lawsuit, all potential impacts stressed by the criminals as part of their extortion scheme.
But as UK’s National Cyber Security Centre warns: “Even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files.”
Despite the spillover from the Russian war in Ukraine – in one case knocking 5,800 wind turbines in Germany offline – the NCSC says it has not detected any increase in hostile activity targeting Britain during the conflict.
Businesses however had been warned that there is a heightened threat level when it comes to cyber attacks due to the conflict which is likely to be here “for the long-haul”.
NCSC’s chief executive, Lindy Cameron, said: “Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations.
“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cyber security is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”
Ms Cameron previously warned that the challenge ransomware gangs posed to law enforcement was “acute” as “the criminals responsible often operate beyond our borders, are increasingly successful in their endeavours”.
“We expect ransomware will continue to be an attractive route for criminals as long as organisations remain vulnerable and continue to pay,” she said at the time.
While there have been arguments made for criminalising the payment of ransoms, it poses a number of additional risks such as providing the criminals with an additional factor they could use to extort their victims.
John Edwards, the Information Commissioner, added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released.
“It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack,” he added, responding to suggestions that some solicitors have told their clients that paying the criminals would be seen as a move to protect users’ data.
“We’ve seen cyber crime costing UK firms billions over the last five years,” the commissioner stated.
“The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks
“Organisations will get more credit from those arrangements than by paying off the criminals.
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”