Ransom demands – to pay or not to pay?

Following the Bar Council Cybersecurity Event on 24 May, Lindsay Hill, CEO at Mitigo Cybersecurity highlights key aspects from the conference, including the Mitigo session which brought to life the frightening impact that a successful ransomware attack could have on chambers.

David Fleming, CTO at Mitigo, ran the session and gave attendees an insight into the ransomware ecosystem, covering three types of criminals:

Initial access brokers (IAB) – these are individuals and groups that focus on infiltrating businesses through a variety of methods. Once access has been gained, they then pass this to affiliates or the ransomware groups in order that the opportunity to blackmail victims may be fully exploited. The IABs therefore operate as “lead generators”.

Affiliates – these are the criminals using ransomware as a service (Raas), purchased from one or more ransomware groups, which allows them to infect the victims which either they have infiltrated or an IAB has passed to them. The affiliates have been a key driver of the increase in ransomware attacks in recent years. The ransomware groups provide them with instructions and breach recommendations. The affiliates in turn then bring the infected victims to the ransomware groups for negotiation.

Ransomware groups – these groups are at the top of the pyramid and will have gang members with a variety of roles including developing and testing the ransomware, creating dark web leak websites, managing negotiations, marketing and selling Raas and other activities.

At the event, David demonstrated a simulation of a real ransomware attack, showing the different phases and the decisions that have to be made at each stage including:

• The initial ransom demand and realisation that the attackers were in the system
• The threat to publish highly confidential client information which had been stolen
• The uncertainty of back-up resilience
• The blackmail countdown
• Whether or not to pay, and who decides, negotiates and pays
• Reporting obligations.

To pay or not to pay?

The conference had a debate on the legitimacy and efficacy of paying ransom demands. The position of law enforcement agencies such as the Information Commissioner’s Office (ICO), and National Cyber Security Centre (NCSC) is clear. In their joint letter in summer 2022 to the Law Society and Bar Council, the ICO and NCSC said that although payment is not usually unlawful (subject to any sanctions regime), demands should not be paid because they incentivise more of the same illegal activity. In addition, the payment would not guarantee the decryption of networks or the return of stolen data; that the ICO would not consider payment as mitigating the risk to individuals; and that it would not result in a lower penalty by the ICO.

The Law Society position is that they do “not advise [their] members to pay ransoms, nor suggest that is what they should advise their clients”. The Bar Council has IT guidance available and will soon publish information on this specific issue.

There is no excuse for negligent security practices whether they result in cyber breaches or not. However, once a set is in that position, for so long as paying a ransom demand remains legal (and indeed some cyber insurers offer cover for such payments), it is understandable why some victims decide that payment is in the best interests of their business (perhaps even for its survival) or the best interests of their clients.

But the decision to pay or not to pay, which must be taken against a ticking clock, is a very difficult and fraught one. In every possible respect, it is much better to have taken the proactive decision to put the most appropriate cyber risk management in place instead.