While guidance has been introduced to help businesses understand what measures they should take to address ransomware risk, there are increasingly complex challenges to be navigated when engaging with those behind ransomware attacks and deciding whether to make a payment to recover access to systems and data.
Data published by the Information Commissioner’s Office (ICO), showed that during 2021 and 2022, around 7 per cent of personal data breaches reported were ransomware, however, there has been a 339 per cent increase compared with back in 2019.
This trend perhaps reflects attackers taking a more targeted approach to the data they are exfiltrating – seeking data that is of value or sensitivity to the victim, so that there is more reason to make a demand and more incentive on a victim to consider paying.
Whilst organisations are making technological improvements in an attempt to be more resilient, ransomware attacks continue to provide rich pickings for attackers, with many victims still choosing to pay the ransom when faced with critical business interruption or reputational risk as a result of an attack.
We have observed increasingly aggressive tactics employed by those behind ransomware attacks, including calling members of staff or contacting data subjects directly to inform them that their data has been leaked. This provides increased pressure on the victim organisation to consider paying the ransom demanded.
SMEs should not think that, due to their size, they will not be the targets of ransomware attacks, as often criminals take a scattergun approach, for example by sending thousands of phishing emails, with the result that any organisation can fall victim.
The ICO recommend that where a ransomware attack has occurred, law enforcement should be notified. If law enforcement bodies request that notifications to individuals are delayed to assist their investigation, close liaison with both law enforcement and the ICO is recommended.
Careful consideration needs to be given to the implications and challenges which can come from the payment of a ransom, which carries risk to the payer, including potential criminal liability. The risk arises broadly from paying a sanctioned entity, or one which is engaged in terrorist activity.
By paying, the payer may also fall foul of anti-money laundering laws. The process of paying a ransom is therefore complex and requires specialist and specific advice, which includes detailed due diligence to ascertain whether the payer might be construed as having any reason to know or suspect that those behind a ransomware attack has links to any sanctioned entities or terrorist organisations.
Increasingly, organisations are looking to be “cyber ready”, with a comprehensive plan in place to consider how they would respond to a cyber security incident. Such preparation can pay dividends in delivering a comprehensive and timely response to an incident, should it occur, and Pinsent Masons cyber team are supporting clients both nationally and internationally to ensure “cyber readiness”.
Laura Gillespie, Partner and cyber crime specialist at Pinsent Masons