Naked Security Naked Security

Paying ransomware crooks won’t reduce your legal risk, warns regulator

"We paid the crooks to keep things under control and make a bad thing better"... isn't a valid excuse. Who knew?

Paying money to ransomware criminals is a contentious issue.

After all, ransomware demands boil down to one thing, whether you know it in everyday language as extortion, blackmail or standover, namely: demanding money with menaces.

Usually, the attackers leave all your precious files where they are, so you can see them sitting there, giving the tantalising impression that you can reach out and access them whenever you want…

…but if you try to open any of them, you’ll find them useless, turned into the colourless digital equivalent of shredded cabbage.

That’s when you’re faced with the extortion, blackmail, standover, call it what you will: “We’ve got a program that will unscramble your files, and we’ve got the decryption key that’s unique to your network. We’ll sell you this rescue toolkit for what we consider a reasonable fee. Contact us to find out how much you’ll need to pay.”

Sometimes, the attackers also steal a tasty selection of your files first, typically uploading your trophy data to an encrypted cloud backup to which they alone hold the access codes.

They then add this into their extortion demands, warning you that if you try to recover the scrambled files yourself, for example by using your backups, they’ll put the stolen data to nefarious use.

They may threaten to leak information to the data protection regulator in your country, or sell the data on to other crooks, or simply dump the juiciest bits where anyone in the world can gorge on them at will.

There’s no doubt that this crime involves both demands and menace, as you can hear in this ransom message, where the crooks didn’t bother to disguise their tone or underlying threats:

Many ransomware gangs run their own “news websites” where they claim to publish “status updates” about companies that refused to pay, aiming to watch them squirm in a way that the criminals hope may “encourage” future victims to do a deal, and pay the blackmail money instead of risking exposure.

Also, ransomware criminals typically don’t break into your network and unleash the file scrambling part of their attack right away.

They may spend days or even weeks snooping around first, and one of the things they’re keen to find out is how you do your backups, so they can mess with them in advance.

The attackers aim to ruin your ability to recover on your own, and thereby to increase the chance that you will be stuck with doing a “deal” with them to get your business back on the rails again.

It’s not all about the data

But it’s not all about getting the data back and re-starting business operations.

It’s also about potential liability, or at least that’s what the UK data protection regulator thinks.

In an open letter to the legal community published late last week, the Information Commissioner’s Office (ICO), together with the National Cyber Security Centre (NCSC, a government advisory body that’s part of the secret intelligence community), wrote the following:

RE: The legal profession and its role in supporting a safer UK online.

[…] In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay.

It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.

As the ICO very baldly points out, echoing what we’ve found in our recent ransomware surveys (our emphasis below):

[P]ayment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.

[…] For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.

By the way, if you’ve ever wondered just how readily today’s ransomware payments help to fund tomorrow’s attacks, keep in mind how the infamous REvil ransomware gang once casually dumped $1,000,000 in Bitcoin into an online crime forum.

This up-front payout was as a “lure” to attract criminal affiliates with desirable skills, notably including real-world experience of using and abusing mainstream backup software tools:

https://nakedsecurity.sophos.com/2021/07/09/where-do-all-those-cybercrime-payments-go/

Our ransomware surveys already show that paying off the crooks almost certainly won’t save you money, not least because you still have to go through a recovery exercise that will take as much time as restoring in conventional ways, as well as paying the blackmail.

We also found that the decryption tools supplied by the criminals who attacked you in the first place are often unfit for purpose.

Some victims paid up and got nothing back at all, and very few victims actually managed to recover everything. (Colonial Pipeline allegedly and infamously paid $4,400,000 for a decryptor that was basically useless.)

Now, you also need to know that government regulators aren’t going to accept paying up as a legally valid sort of “we did our best and tried to make good” excuse.

Miitgation of risk, as the ICO refers to it, can’t be achieved by paying extortion demands, because the process of risk mitigation is supposed to go like this:

Where the ICO will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Law Enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.

What to do?

Combining our own survey findings with the ICO’s legal advice gives these four simple things to remember:

  • Paying up could get you into legal trouble. The ICO notes that paying ransomware demands is not automatically unlawful in the UK. If it’s likely to be the only hope of saving your business and keeping your staff in their jobs, it seems fair to consider paying up as a sort of “necessary evil”. But, as the ICO reminds us, paying up could still get you in trouble because of “relevant sanctions regimes (particularly those related to Russia).”
  • Paying up may be a total failure. There are no guarantees that the criminals will be able to help you recover your data, even if they genuinely want the process to work in order to act as an “advert” to future victims. As we noted above, some victims pay up and recover absolutely nothing, and very few victims who do pay up end up recovering everything. Half of those who pay up lose at least a third of their data anyway, and a third of them lose at least half. (And you don’t get to choose which half that is.)
  • Paying up generally increases your overall cost of recovery. The “recovery tools” aren’t instantaneous and automatic, so you need to add to the blackmail fee the operational costs of actually deploying and using the tools, assuming they work reliably in the first place. Those operational costs are likely to be at least as much as it would cost you to recover from your own backups, given that the overall process is not dissimilar.
  • Paying up will not reduce any data breach penalties. Giving money to the criminals who attacked you in the first place doesn’t count as “mitigating risk”, or as a reasonable precaution, so it can’t be used to argue that your penalty should be reduced, no matter what your legal advisors might think.

Simply put: paying up is not a good idea, should only ever be a last resort, and sometimes serves only to make a bad thing worse.