Don't Pay Ransoms, UK Government and Privacy Watchdog UrgeAuthorities Still Seeing a Strong Flow of Payments to Ransomware-Wielding Criminals
"Never pay ransomware." That message remains unchanged since extortionists began pummeling organizations worldwide with demands for digital coins in exchange for reverting maliciously encrypted data.
It doesn't appear to have landed. As blockchain intelligence firm Chainalysis reports, victims last year paid out cryptocurrency worth more than $600 million to ransomware-wielding gangs. Clearly, ransomware remains a tidy moneymaker for the criminally inclined.
"We have seen an increase in the number of ransomware attacks and ransom amounts being paid"
As an FBI special agent told a 2018 conference in Scotland: "As much as we tell people not to pay the ransom, people pay the ransom."
Now, Britain's independent privacy watchdog, the Information Commissioner's Office, and the government's cybersecurity agency, the National Cyber Security Center, are trying a new tack.
In a letter to the Law Society, an independent professional body for solicitors in England and Wales, Information Commissioner John Edwards and National Cyber Security Center CEO Lindy Cameron urge lawyers not to advise their clients to pay up. Neither should solicitors suggest that payments to criminals will lessen clients' exposure to governmental fines.
"In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay," Edwards and Cameron write.
"It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation," they add. "We would like to be clear that this is not the case."
As the letter makes clear, paying a ransom also provides:
- No guarantee that the victim will receive a working decryption tool;
- Zero assurance that stolen data will not be resold or leaked, whatever criminals might promise in return;
- No immunization for victims from repeat attacks by the same or other criminal groups.
The Law Society responded with a tweet: "We do not advise members to pay ransoms, nor suggest that is what they should advise their clients."
The ransomware problem isn't going away. While some individual ransomware groups - such as Sodinokibi/REvil, DarkSide and Conti - may have faded away or rebranded, ransomware attacks continue to pummel organizations of all sizes.
Lately, North Korea appears to be spending more time trying to get in on the action. Last week, a new alert from the U.S. government warned that a strain of malware called Maui, which appears to be wielded by North Korea-aligned attackers, has been targeting healthcare organizations and the public health sector.
To help, the U.S. Cybersecurity and Infrastructure Security Agency offers extensive ransomware guidance and resources for both before and after attacks.
Likewise, the ICO recently published updated ransomware guidance, while the NCSC maintains an information hub for preventing and responding to ransomware. Both organizations say they have already been working closely with Britain's insurance industry to find new ways to drive better ransomware defenses.
Law enforcement and government agencies continue to state this clearly: The decision about whether to pay or not to pay a ransom remains a business decision. But there are exceptions involving individuals and organizations that have been sanctioned by the United States, such as for Russian cybercrime group Evil Corp. In such cases, paying a ransom to the sanctioned entity will violate U.S. Department of Treasury regulations that get enforced worldwide.
Even here, victims have a degree of wiggle room, especially if they can prove to U.S. authorities that they had taken reasonable and proactive steps to safeguard themselves against ransomware. "When affected parties take these proactive steps, Treasury's Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response," according to the Maui alert.
Organizations might still get fined or get a slap on the wrist, but enforcement need not necessarily be made public, so long as companies made a good effort to do everything else correctly.
Even the best-prepared organizations may still fall victim to ransomware attacks.
In some cases, paying a ransom can mean the difference between a company staying in business or having to shut down and lay everyone off. In other cases, paying may be key to minimizing service disruption, which remains the primary concern for hospitals.
Of course, this is why criminals continue to wield ransomware, especially against targets that will do everything they can - at least after the fact - to avoid disruptions or having to go out of business.
As authorities continue to urge, many organizations need to get better at doing everything they can to survive such an attack, before ever getting hit by ransomware, because the underlying economic equation hasn't changed. Simply put: Spend less to prepare properly now and avoid ever having to pay a ransom. Otherwise, regardless of whether you end up succumbing to a ransom demand, prepare to pay much more later.