With increased remote working as a result of the COVID-19 pandemic, we are all more alive to the risk of cyber threats and attacks. One of the cyber threats that came to the forefront of people's minds in 2020 was ransomware attacks.
At its most basic level, a ransomware attack is where malware infects a computer network, encrypting the data and making it unavailable until a ransom is paid, at which point a decryption tool is provided.
However, the factors that need to be considered when faced with a ransomware attack are broader, and much more complex, than simply whether or not the ransom demand should be paid.
For example, is there any risk that data could be disclosed or disseminated if the ransom is not paid?
If victims of ransomware attacks have good offline data backup practices, then there may not be any need to pay a ransom demand: they can simply restore the data that has been encrypted from their backup. However, whilst some ransomware will simply encrypt data and make it unavailable until the correct decryption tool is deployed, other ransomware can also copy data from a network, thus giving the attackers access to it. Therefore, even if encrypted data can be restored from a backup, thereby negating the immediate need to pay the ransom, there is still a risk that those responsible for the ransomware attack could disclose or disseminate the data if the ransom is not paid.
This then leads on to a further consideration. Depending on what the data is, the attackers gaining access to it and carrying out such a threat could result in a breach of the General Data Protection Regulation (“GDPR”), a duty of confidentiality, legal professional privilege, trade secrets, privacy rights etc., and civil litigation and regulatory action may follow. The prospect of civil litigation may be of particular concern, as group actions are increasingly being brought for data protection breaches, and regulatory action may result in the imposition of large fines: in 2020, the Information Commissioner's Office imposed fines of £20 million and £18.4 million on British Airways Plc and Marriott International Inc, respectively, for data protection breaches, albeit not as a result of ransomware attacks.
Therefore, if there is a disclosure or dissemination of data following the non-payment of a ransomware demand, or a threat in the event of non-payment, then, not only may liaison with regulatory authorities be required, but recourse to the courts' interim injunctive relief may also be needed in order to mitigate the consequences.
Where, however, good offline data backup practices are not in place, or consideration is being given to paying the ransom for other reasons, consideration will also need to be given to whether there is a risk of criminal liability or a monetary penalty if the ransom is paid.
Although paying a ransom is not in and of itself illegal in England and Wales, individuals and/or groups behind ransomware attacks may be state-sponsored, associated with designated persons and entities under financial sanctions regimes or be proscribed entities under terrorism legislation. Therefore, there is a risk that the payment of a ransom demand may contravene or circumvent financial sanctions and restrictions, or may finance terrorism. Where it is possible to identify those responsible for a ransomware attack, it may be possible to conduct due diligence in order to determine whether this will be the case. However, such identification is rarely likely to reveal true identities. Therefore, whether the attackers are identified or anonymous, there is likely to be little or no information upon which meaningful due diligence or an investigation can be conducted. As such, unless there are clear grounds for suspecting that the payment would be used for the purposes of terrorism or is for, or for the benefit of, a designated person or entity, it is unlikely that victims of ransomware attacks will face criminal liability or monetary penalties for paying ransoms.
The position may be different, however, if the ransom is demanded in cryptoassets. Although becoming a worldwide trading commodity, cryptoassets are still considered to be 'the currency of choice' for criminal activities and organisations. Therefore, if a ransom is demanded in cryptoassets, it could be arguable that there is reasonable cause to suspect that they will or may be used for the purposes of terrorism, or that they are for, or for the benefit of, a designated person or entity. Thus there is a potential risk that a cryptoasset ransom payment may attract criminal liability or a monetary penalty.
The considerations as to criminal liability and monetary penalties do not only apply to the victims of ransomware attacks: the financial institutions and cryptoasset exchange providers involved in the payment of ransom demands also need to be alert to their potential liability and obligations under financial sanctions regimes, terrorist financing legislation and money laundering regulations.
Thus responding to a ransomware attack, especially when the ransom demand is for cryptoassets, involves broader and much more complex considerations than simply whether or not to pay the ransom demand; and that is on top of all the other considerations that arise in the wake of such an incident: investigation of how the attack happened and what has been compromised, system clean-up, enhancing technical and organisational security measures, public relations, notifying data subjects, mitigating any damage to data subjects, mitigating business interruption losses etc.
Given that, in a lot of ransomware attacks, 'time is of the essence', these are not easy considerations, and individuals and corporates should not only ensure that they have good offline data backup practices and planned and rehearsed response processes and procedures, but legal advice should also be sought in respect of any potential civil, regulatory or criminal liability.
Ceri Davis is one of the authors of Cyber Litigation: The Legal Principles.