The rights and wrongs of ransomware

Arthur Piper, IBA Technology Correspondent

Though the number of ransomware attacks is ballooning, there remains a lack of clarity on the legal position of companies and organisations being targeted.

If the war in Ukraine and the cost of living crisis had not dominated the headlines, 2022 might well have been remembered as the year that ransomware attacks went mainstream. Organisations as diverse as Uber and the Costa Rican government found themselves the targets of such strikes. In fact, data breaches caused by ransomware incursions into businesses and public bodies grew last year by 41 per cent, according to research by IBM. During such attacks, hackers lock or steal data and then demand money for its return. The consultancy reckons that such activity will spike in 2023 as criminals target businesses struggling to survive the predicted economic downturn.

Ransomware incidents are ballooning because the practice has industrialised. In the past, hackers most often coded and implemented their own malware to attack their targets, which was time-consuming, if potentially lucrative. More recently, cybercriminals have developed new business models that include ransomware-as-a-service (RaaS). Just like any other software-as-a-service offering, users with low technical proficiency can sign up and access sophisticated software for a fraction of the price it costs to build – and expect a cut of any proceeds from the malware they distribute in return. Those with higher coding proficiency are able to join more exclusive RaaS groups for greater rewards, according to the security firm UpGuard. This commercialisation of hacking tools and techniques has helped to increase both the number and the overall sophistication of attacks globally.

To pay or not to pay?

It should be of little surprise to learn that, according to Statista, it has been calculated that 70 per cent of global organisations were affected by such ransom demands in 2022 and that about 63 per cent of those affected paid to get their data back. Of those taking this route, 72 per cent were successful – leaving a significant minority both out of pocket and with no way of reacquiring the stolen data.

That leaves organisations with a dilemma: pay and trust that the very untrustworthy hackers that perpetrated the attack play fair; or, refuse and face the consequences of lost data, reputation and potential regulatory action.

Indications that the legal profession is unclear of its responsibilities, in the UK at least, emerged during the summer of 2022. The volume of ransomware attacks in the UK reached such a level that the Information Commissioner’s Office (ICO) felt the need to write to the legal profession to help clarify the role of those law firms retained to help businesses who had fallen victim to hackers. In a joint letter penned with GCHQ’s National Cyber Security Centre, the UK Information Commissioner John Edwards said rumours had been circulating that some clients believed, or had been advised by lawyers (reading a bit between the lines), that paying a ransom may either protect stolen data or result in a lower penalty from the regulator if it decided to investigate following a breach.

The ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties

The UK Information Commissioner’s Office

Payments are not unlawful in principle, so there is nothing preventing organisations from paying up and hoping for the best, says Edwards. But if those payments fall into the hands of terrorists, for example, or players that are under the shadow of sanctions regimes – Russia was explicitly mentioned – then businesses could still fall foul of the law. And to address the particular issue that it set out to clarify: ‘For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.’ From a UK legal perspective, organisations need to report relevant breaches to the ICO within 72 hours – but what they do about getting data back is left to them.

When Australia’s largest health insurer Medibank was hacked in October last year in a breach affecting 9.7 million customers, its Chief Executive Officer David Koczkar said that the business would not pay up. He said: ‘Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.’ Instead, the insurer created a comprehensive package of support for its customers.

Along with other high-profile attacks in the country, the breach prompted Australia’s Minister for Home Affairs Clare O’Neil to announce on ABC TV that the government would consider making ransomware payments illegal, as well as restricting the length of time companies could hold data. That, she said, would help decrease the profitability of such actions and make national businesses less of a target. In addition, she said that the Australian Federal Police would team up with the Australian Signals Directorate – an intelligence body – to create a taskforce of 100 officers to combat the problem.

Cybercrime, don't pay

Criminalising businesses that pay ransoms is not a new idea. A year earlier, the same debate played out in the US. In 2021, the US Institute for Security and Technology released a report by the Ransomware Task Force — composed of government officials, cybersecurity experts and businesses — that tellingly failed to reach a consensus on whether to ban ransomware payments. There are arguments either way. On the one hand, for instance, it acknowledged that paying up merely helped fund further criminality. But it also said that there was little ‘organisational cybersecurity maturity across sectors, sizes of organisation, and geographies’. So, effectively, those with the poorest defences would be penalised most if a payment ban were to be enacted.

Helpfully for the Australian government, the report had three recommendations for countries considering a block on ransomware payments. First, it said, governments would need to set up proper victim support and protection programmes and insurers would need time to update policies. Second, the prohibition should be phased over a matter of years. Finally, it must invest in state-funded and insurance-backed support infrastructures, including rapid response teams for critical infrastructure, healthcare and other so-called life-line organisations.

But many experts remain firmly in the no-criminalisation camp. ‘In situations where data cannot otherwise be recovered, and yet its absence could force a company out of business, a critical service offline, or even have life and death consequences, the option to pay should remain on the table as a very last resort’, Rik Ferguson, Vice President of Security Intelligence at the cyber business Forescout, says.

He appreciates that the benefits of criminalisation may include, for example, sweeping away existing confusion around the range of legal pitfalls – from money laundering to terrorist financing – that directors who currently pay up face. And it may force organisations to properly fund cyber defences and proper data protocols. But he also believes it could push ransom payments underground, which would heap further regulatory and legal problems onto businesses.

‘Criminalisation is attacking the issue from the wrong direction’, he says. ‘We should be focusing on the financial systems that make the paper trail so opaque.’

‘Existing legislation in most areas already criminalises the receiving, possessing, or disposing of money that has at any time been delivered as a ransom’, he explains. ‘As emerging cryptocurrency regulations come into effect, the identities of both senders and receivers of cryptocurrency transactions will become clear, forcing criminals to think again about their cashing-out strategies.’

As Global Insight reported last year (see Global Insight June/July 2022), the state of crypto-legislation is far from ideal – and subject to ever-increasing legal dispute. But criminalising the victims of ransomware attacks feels less than ideal. It may be a good idea for organisations that may have patchy defences around their data information to shore them up, and indeed receive support to do so, rather than continuing to have to pay for not doing so.

Arthur Piper is a freelance journalist and can be contacted at arthur@sdw.co.uk

Image credit: James Thew/AdobeStock.com