While official advice on paying a ransom or not when hit by ransomware continues to state that you are ‘strongly discouraged from making payment’, crucially, it acknowledges ‘occasions where a victim may ultimately consider paying a ransom’.
As background, 2023 was the worst year on record for ransomware payments globally; and ransom payment demands fuels the ‘ransomware business model’. The UK and the USA are among countries that are members of the ‘Counter Ransomware Initiative’ working alongside insurers (who have an interest in ransomware if they are offering insurance in case of such cyber attacks).
The members last year met and issued a statement that ‘strongly discouraged anyone from paying a ransomware demand’, while falling short of ordering businesses not to – the members admit that their guidance is ‘non-binding’ in any event. The members admit that when hit by ransomware, whether to pay the criminals if that’s the only hope of getting data and systems back ‘can be a difficult decision to make’.
Hence the guidance, ‘to minimise the overall impact of a ransomware incident’. It asks you to ‘consider’ the legal and regulatory considerations. For example, if the criminals carrying out the ransomware attack and demanding ransom are terrorists or from a regime sanctioned internationally, you may break the law by paying a ransom. The guidance suggests that you report the incident, among other reasons to ‘allow the authorities to provide the necessary advice and support to victims’.
The document makes the point that the attackers will seek to apply pressure to get the ransom, by claiming that payment is your only way to recover; rather, you ought to take time to ‘review the options’, and have a ‘clear, data-backed rationale behind decisions’. An insurer may well offer a cyber incident response consultancy firm, as part of the cover.
On the technical side, you should look at whether you have back-ups, or can put in place work-arounds (while checking the risks of further data exfiltration). As for theft of data – that the criminals increasingly carry out, besides freezing your IT, the guidance warns – you should not trust a promise to delete the stolen data once a ransom is paid. “It is good practice for organisations to carry out an assessment to determine what data was compromised and how sensitive it is.”
The document advises that even if the criminals provide a decryption key, it may take time to work; using back-ups may prove quicker. As for procedure, the guidance suggests that you record any decisions, including if you have to present your case to a regulator such as the Information Commissioner’s Office (ICO) in the UK. After the incident, check where the attack came and mitigate, or else you could be open to further ‘incidents’.
For the guidance, visit https://www.gov.uk/government/publications/cri-guidance-for-organisations-during-ransomware-incidents/cri-guidance-for-organisations-during-ransomware-incidents.
What they say
The guidance was released at the Initiative’s 2024 gathering. Home Office Security Minister Dan Jarvis said: “Cyber criminality does not recognise borders. That is why international co-operation is vital to tackle the shared threat of ransomware attacks. This guidance will hit the wallets of cyber criminals, and ultimately help to protect businesses in the UK and around the world.”
In May the UK official National Cyber Security Centre (NCSC) with the Association of British Insurers (ABI), British Insurance Brokersโ Association (BIBA) and International Underwriting Association (IUA) issued similarly ‘Guidance for organisations considering payment in ransomware incidents’.
October is Cyber Security Awareness Month.
