Ransomware attacks are increasing in frequency, scope, and severity. Ransomware demands are also getting higher, and desperate companies are paying up in order to try to get to normal as quickly as possible.
The official stance from governments and law enforcement agencies has always been that companies shouldn’t pay the ransomware demand, but that doesn’t actually answer the question, is it legal to pay ransomware demands following a ransomware attack?
Tl;dr – yes.
But it is more complicated than that.
Does anyone actually pay ransomware demands?
Yes, they do. The average ransom paid to unlock networks rose by 270% from $115,123 in 2019, to $312,493 in 2020, suggesting that people are paying, and ransomware gangs know they can ask for more money.
Not every attack comes with a high ransomware demand, the vast majority are relatively small, but some ransomware gangs have demanded (and received) millions of dollars in ransoms:
US infrastructure company Colonial Pipeline paid DarkSide over $4.4 million in June 2021 after a ransomware attack that brought one of the main oil pipelines in the Eastern United States to a standstill.
UK foreign exchange company Travelex paid REvil (Sodinokobi) a final ransom of $2.3 million in January 2020, down from an initial demand of $6m. The impact of the cyber attack, ransomware demand, and loss of reputation later pushed the company into administration.
In May 2021, US insurance company CNA Financial is reported to have paid a ransomware demand of $40 million to the operators of the Phoenix Locker ransomware. This attack like many others was a double extortion attack, making it more important to CNA Financial to stop the attack.
And from the other side, the admins of Ziggy ransomware closed operations back in April 2021 returning ransoms to former victims. One of the reasons posited for why Ziggy ceased operations is that they had reached their profit target, meaning that plenty of organisations had paid the ransomware demand over time.
What is a ransomware attack?
A ransomware attack is when malware infects a computer, locks or encrypts systems, files, and parts of the network, and demands the victim pays a ransom in order to unlock it. Ransomware can be delivered through a phishing campaign, malware, or even through direct hacks into a victim’s systems.
Victims will often pay a ransom if they don’t have a backup in place, or if their backup is also compromised in the attack.
More recently, ransomware attackers have used double extortion to convince victims to pay, by stealing data before they encrypt it. This enables the attackers to claim a ransom even if the organisation decides not to pay to unlock their files. This form of ransomware is arguably more damaging as the data could be viewed as more valuable than the systems.
What is the result of organisations paying ransomware demands?
Paying up makes the criminals bolder. Receiving a payment shows them that the model works, and makes it profitable to try again.
In 2021 so far we have seen unprecedented numbers of ransomware attacks, featuring new techniques and sophistication as the ransomware gangs put more resources into making their attacks successful because they are certain they will receive a payment at the end of it.
Paying up may make an organisation more vulnerable to future attack simply because it is known that they will pay up. Many cyber criminals are opportunistic. If they spot an easy mark, they will go for it. In fact, research suggests that 80% of organisations who have paid a ransomware demand have been hit a second time.
Many of the organisations who pay ransomware demands pay them through their cyber insurance. While this reduces the burden of the payment on the individual company, insurance companies are now raising premiums for cyber insurance, and increasing the list of cyber security demands for companies looking to get insured.
Cyber insurance has also created a situation whereby ransomware gangs tailor their ransomware demand to the maximum coverage amount included in the policy. This in turn has pushed up ransom amounts.
In addition, some insurance companies are also limiting the cyber attacks they will cover. For example, insurance firm AXA announced in May that it will no longer pay out to French customers who pay the ransom extorted in a ransomware attack.
Why doesn’t the government make paying ransoms illegal?
The discussion to ban ransom payments has been raised time and again, but there are several key considerations that have prevented making paying the ransomware demand illegal.
Ransomware demands are usually paid by organisations who have no other choice. If they didn’t pay the ransom they would be unable to recover their files, and they would have to go out of business. While some businesses may take that route, others may look for undercover or black market ways to pay ransomware demands.
Other organisations such as hospitals pay ransoms because they can’t afford the downtime caused by encrypted systems. If governments banned ransom payments, these organisations would be caught in lengthy negotiations that they can ill-afford. They may also become more attractive targets to cyber criminals who are looking to maximise the chances of getting paid.
Ransomware gangs are usually in it for the money. When they don’t get the easy ransom, they escalate the scope and severity of the attack – including double extortion attacks.
So, is it legal to pay the ransom in a ransomware attack?
Yes – for now. It is currently not illegal to pay ransomware demands, but there are a number of financial sanctions and legislation in place that makes it a grey area.
The US Treasury stated in 2020 that facilitating ransomware payments to sanctioned hackers may be illegal. Similarly in the EU, cyber criminal groups may have financial sanctions placed on them, and it is a criminal offence to breach a financial sanction.
The UK the Terrorism Act 2000 makes it illegal to pay a ransom when there is a suspicion that it is linked to terrorism. Terrorism in this case is defined as an act (including interference or disruption of an electronic system) which is designed to influence government in order to advance a political, religious, racial, or ideological cause. When dealing with anonymous cyber criminals, it is impossible to know what their true aims are.
Equally, it may not be worth it to pay a ransomware demand. Ransomware gangs’ decryptors are notoriously buggy, and research has found the organisations are able to recover just 65% of files on average.
Only 8% of organisations recovered all their data after paying a ransom. Furthermore, the computers will still be infected, adding further costs to remove any malware before an attack happens again.
Protect, don’t pay
At the end of the day, the best way to recover from a ransomware attack is to prepare for it. Organisations should take the perspective that it is when, not if a ransomware gang will attempt to infiltrate their network, and put in precautions accordingly. These include:
Protect your network
Invest in network protections such as firewalls and VPNs, endpoint or device protection, secure authentication, and a monitoring regime, and create an effective cybersecurity risk management programme. Consider the services of a cyber intelligence service to keep up to date with the latest threats and mitigation techniques.
Include employee training in protection methods, teaching them good cyber hygiene practices including strong passwords, MFA, and how to detect phishing attacks.
Protect your data
More recent ransomware attacks have used double extortion – stealing data before encrypting it so that even if an organisation can restore from backups without paying the ransom, the attackers still have leverage. Add extra protections to data including encryption of sensitive data.
Prepare for an attack
Prepare a ransomware incident response playbook that contains all the relevant information, tasks, and communications that will help the incident response team respond to the attack, including the critical systems to protect or restore and checklists of tasks to follow in an event. Carry out table top or simulation exercises to rehearse the plan.
Prioritise your backup strategy
Ransomware attackers encrypt data, and demand the ransom to restore it, but if an organisation has recent, available backups they have no need to pay the ransom demand. Create a regular backup schedule that saves the backups offline or in a different network to the main company networks. If possible, create more than one copy of the backup. Test the backups and ensure that they are easily restorable.
In today’s world, ransomware may be unavoidable. Paying the ransomware demand, however, is.