Solicitors are being asked to play their part in keeping the UK safe online by helping to tackle a rise in payments being made to ransomware criminals.
In a joint letter, the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) ask the Law Society to remind its members of their advice on ransomware and emphasise that paying a ransom will not keep data safe or be viewed by the ICO as a mitigation in regulatory action.
In their letter, the NCSC – which is a part of GCHQ – and the ICO state that they have seen evidence of a rise in ransomware payments and that in some cases solicitors may have been advising clients to pay, in the belief that it will keep data safe or lead to a lower penalty from the ICO.
The two organisations ask the Law Society to clarify to its members that this is not that case and that they do not encourage or condone paying ransoms, which can further incentivise criminals and will not guarantee that files are returned.
Ransomware involves the encrypting of an organisation’s files by cyber criminals, who demand money in exchange for providing access to them. These attacks are becoming more sophisticated and damaging and the UK Government is working with partners across the board to mitigate the threat. With this in mind, in December 2021 the National Cyber Strategy was launched to provide £2.6bn of new investment and strengthen the UK’s role as a responsible cyber power.
Tackling cyber crime, in particular ransomware, is at the heart of the strategy which aims at increasing capability of law enforcement partners so they can better respond to cyber-attacks. For instance, the National Cyber Crime Unit (NCCU) within the National Crime Agency (NCA) was created to bring together law enforcement experts into a single elite unit. There is also an established network of regional cyber crime units (ROCUs) to provide access to specialist capabilities across the country.
NCSC CEO, Lindy Cameron said: “Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations. Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cybersecurity is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”
John Edwards, UK Information Commissioner, added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cyber crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”
In the event of a ransomware attack or other cyber crimes, organisations should report directly an ongoing incident to Action Fraud (on 0300 123 2040 which is available 24/7), Information Commissioner’s Office (for data breaches under the GDPR), or to the NCSC for any major cyber incidents. Law enforcement will then be able to mitigate the impact of the attack and secure evidence that can assist an investigation.
The ICO will recognise when organisations have taken steps to fully understand what has happened and learn from it and where appropriate, they have raised their incident with the NCSC and they can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.
Charl van der Walt, Head of Security Research at Orange Cyberdefense said: “If victims keep paying the ransoms demanded of them by cybercriminals, there is no reason to believe that the ransomware crimewave will abate. As Mr Edwards presciently points out, there is not just the impact on individual businesses to consider, but also broader societal harm. Crime theory teaches us that to tackle crime we must demotivate the offender, which, in this case, means cutting off their flow of money. However, because there is no legal barrier to victims claiming ransom payments back on cyber-insurance, they are in some ways being incentivised to pay. Therefore, it is worth evaluating the pros and cons of regulating these payments.
“On one hand, ransom payments essentially fund cybercrime. Paying out leads to more attacks and there is no guarantee that hackers will release the data after receiving payment. It could even result in further demands. However, criminalising ransom payments could shift the focus of criminality from the perpetrator to the victim and set off a chain of unintended consequences, such as a reluctance to report breaches. Combined, this could force the issue underground and make the practice more lucrative for cybercriminals.
“Whether criminalised or not, it is undoubtable that businesses should not pay the ransom demanded of them. Instead, they should alleviate the threat of being targeted by adopting services such as threat detection and response and ensuring staff are trained on how to spot and respond to the threat of ransomware to ensure it doesn’t overcome a business’ defences in the first place.”
Dan Middleton, Vice President UK & Ireland, Veeam Software said: “The damage ransomware can inflict on businesses is staggering. Those that feel they have no choice but to pay cybercriminals in order to unlock their files put their money and their reputation, at risk.
“As explained by Lindy Cameron, CEO of the NCSC and the Information Commissioner, businesses should never pay the ransom demands of cybercriminals. Instead, the only option is to restore data.
“Implementing a full backup and disaster recovery plan gives organisations the ability to recover data in the event of a ransomware attack, minimising the risk of financial and reputational damage. Offsite and offline backups should be implemented to achieve this. I advocate the 3-2-1-1-0 rule, which says there should always be at least three copies of important data, on at least two different types of media, with at least one off-site, one offline, with zero unverified backups or backups completing with errors.
“When combined with prevention measures, such as educating employees and ensuring that cyber-attackers are not being unwittingly gifted access to the data and systems they need to initiate a ransomware attack, backup and disaster recovery is the last line of defence that can help businesses win the ransomware battle.”
The NCSC has a wide range of guidance on mitigating the ransomware threat, for example advising companies to keep offline back-ups. All of its advice can be found on its ransomware pages. The ICO recently updated ransomware guidance can be found on its website.