Ransomware: to pay or not to pay?

Ransom attacks have become big business for cyber criminals. The sums now being demanded, and often paid, are getting higher and the threats more alarming. The criminals don't just encrypt systems and offer the keys back in exchange for a ransom; they now typically steal personal data and confidential information and then publish it if the ransom is not paid.

Those faced with a ransom attack are often faced with a moral, legal, and reputational dilemma. Do they pay the criminals and restore their systems and prevent the publication of stolen information, but risk being criticised for fuelling criminal activity? Or do they take the moral high ground and refuse to pay, but face substantial operational damage and the publication of sensitive information of staff and customers, together with all the resulting regulation and litigation consequences?

Is the threat real?

The first thing to work out, with expert support, is whether the ransom threat is real or not. There are many examples of ransomware that encrypts systems and leaves a ransom note but where the spread of the malware is automated and the criminals will wait at the other end of an email address to receive payment, with no ongoing "threat activity". Making a payment to such a group may achieve no practical benefit. In other cases, the threat is very real and there may be a limited window in which to consider paying or negotiating in order to avoid active steps by a criminal group to cause further damage.

It is built into the business model for many attackers to make the victim aware of the name of the attacking group and provide clear details as to how the attackers can be contacted and make payment. Of course, they are clever enough not to reveal their real identities or forensic information which may enable them to be traced. But they want to develop a reputation for being as good as their word, whether that be to provide the de-encryption key or to publish data as threatened.

To apply pressure, some criminal groups operate sites on the dark web to publicise who they have infiltrated and the categories of data they will make available if they are not paid. Notable victims are discovered on those sites by journalists, who may bring the potential leaks to the attention of more mainstream media. This alone can cause significant reputational headaches.

The ransoms paid by victims are often unreported. Attacker groups do not want a reputation for negotiating their demands down. Victims do not want a reputation for having paid a ransom for fear of being targeted by other attackers.

Some of the more sophisticated groups tailor their ransom demand to the turnover or profit of a company, directly referencing financial reports to justify the amount of their demand in any negotiation. Others demand a payment based on the perceived damage and disruption to the victim. At the time of writing the highest publicly reported ransom payment exceeded $1,000,000, where the impact to the servers of South Korean web provider Naranya shut down more than 3,400 websites. Many other ransom payments have been reported between $50,000 and $500,000. The vast number of unreported ransom payments make the enterprise an extremely lucrative criminal activity, and it remains an active and very real threat.

Is there a risk of committing a criminal offence by paying?

The payment of a ransom is not of itself illegal in the UK. But, depending on who the money is paid to and in what circumstances, there are three key possible offences to be aware of:

• Money laundering: It is an offence for a person to enter into an arrangement that they know or suspect facilitates the use or control of criminal property. However, a ransom payment may not be considered to be criminal property until it is in the hands of the attackers. The available guidance is that, if the money was in all respects legal until it reached the hands of the cyber criminals, it is unlikely that a prosecution for money laundering would be regarded as being in the public interest. (Proceeds of Crime Act 2002, s328.)
• Financing of Terrorism: It is an offence for a person to provide money if they know or have reasonable cause to suspect that it will or may be used for the purposes of terrorism. More often than not, the attackers operate behind faceless groups. A ransom-payer will often not be aware nor have reasonable cause to suspect that the ransom will go to a group concerned with terrorism. (Terrorism Act 2000 s15(3).)
• Sanctions: It is an offence under sanctions law to make funds available directly or indirectly to a "designated" individual or entity. Those designated individuals appear on lists published by OFSI (the Office of Financial Sanctions Implementation) in the UK . Provided that reasonable due diligence had been conducted it will not, however, be an offence under English law to make such a payment if you can show that you did not know or have reasonable cause to suspect that funds would be made available, directly or indirectly, to such a designated person. This is not the case for the US Office of Foreign Assets Control sanctions regime, which has extraterritorial reach and if engaged carries a strict liability regime. The authorities would need to first establish that money has been made available to a sanctioned individual/entity, but careful due diligence is required to avoid falling foul of that regime. The penalties include fines and custodial criminal sanctions imposed on directors.

"Threat actors" take sophisticated steps to hide their tracks and so, unless there are clear grounds to suspect that the ransom payment would be used to fuel terrorist activity or be paid in contravention of sanctions, it is unlikely that a company that pays in order to protect its staff and customers will face criminal prosecution. Due diligence regarding the "payee" before making any payment will be crucial to that decision.

But of course the moral dilemma remains.

The 'least worst' case scenario

As with many critical decisions, it is important to approach the decision as to whether to pay a ransom in a logical, calm and reasoned way. This is partly about having access to the right information and advice, including on the points raised above. But it's also about the method by which decision-making teams (usually boards or executive committees) approach the decision, especially if doing so remotely via video-conference.

Before opening the (virtual) floor to discussion, start with a calm and thorough exposition of the options, likely and worst case scenarios. Those options and scenarios can then be compared, and the priority issues identified, allowing the decision-making body to form a clear view of the least worst option. This helps to ensure that when views are exchanged, they are on an informed and balanced basis, rather than being driven by instinct and different perspectives. By following this process, the right answer often emerges before the team goes around the table to try to reach consensus.

Doing the right thing

A guiding principle throughout this difficult process is to "do the right thing". That is an easy mantra to adopt in these situations but can be much more difficult to apply. It should take account of legal, commercial and reputational issues, but is ultimately driven by human instinct and moral conscience. It may be easy to form the view "we should never pay criminals", but what the right thing to do is will vary in each case depending on the severity of the potential consequences of paying or not paying. For example, if as a consequence of a cyberattack , medical equipment or data will be lost that will almost certainly endanger many lives, is a flat refusal to consider paying really the right thing to do?

Of course, there is no way to predict precisely how an attack might play out, but undergoing a realistic dry run can be an effective way to evaluate your preparedness. If you would like to test your mettle by taking part in a ransom simulation, please contact one of the experts listed below.