Ransomware: to pay, or not to pay? | Legal Thinking Podcast
This podcast transcript has been edited in places for readability. You can also listen to our podcast on your podcast platform of choice - find it here >
In this episode, we talk about that age old question, ransomware to pay or not to pay. We talk to Fran Tremeer and Carl Selby, who are both lawyers at RWK Goodman who specialise in the technology sector. We talk about the different scenarios that might occur, what tactics cyber criminals use, who it might affect, what the guidance is about, whether you should pay, why you pay, what you can do to mitigate the risk, and more.
Okay. So obviously we’re here today to chat about to pay or not to pay when a business is subject to a ransomware attack or had some information stolen. Can either of you, Fran or Carl, perhaps just talk about the different scenarios involved in this kind of cyber attack?
Carl Selby: Yeah, sure, I can pick that up. I think there's two key scenarios.
There are obviously lots of variations on these but the main scenarios are either a ransomware attack and that's where someone's computer system gets infected by malware that's unlawfully attempting to encrypt files on their computer system. So, you know, typically that would be a server that a business operates and they then just simply can’t access the files on their computer system, and then obviously the cyber criminals go away and try and get a ransom from that business so that they get a key to unencrypt the data that's been encrypted on their own system. And in the worst-case scenario, that can sort of basically mean that a business wouldn’t be able to operate at all if they were locked out of all of their systems as a result.
And the second sort of scenario is where a cyber criminal has unlawfully accessed information from a host computer system, they’ve taken that onto their own systems and then threatened to publish that information unless a payment has been made to the cyber criminals and they say when they’re threatening those things, that they will not release the information if the payment’s made. So they’re the two basic scenarios.
And what are the common tactics that people will use to conduct some cyber crime?
Carl: So the common tactics are, well, there's lots of them, but the most common ones are a phishing attack. I’m sure everyone's had emails attempting to extort personal data from them, whether that's a link to a website where you might put in or, you know, it mimics another service where you’ve got a login so that you put your username and password in, which then discloses the password to the cyber criminals. There may be other cyber criminals who will do what…that try and exploit remote access, obviously, lots of businesses have remote access IT systems, so they will scan ports on domains to try and find ones that are open that they can exploit to get access to the computer systems of that business. They may try and access privileged accounts. So administrator accounts or accounts that have a higher level of access to allow for maintenance, updating and just general set up by, you know, either phishing or by trying to steal the login details for those accounts.
And the most, I think probably the most common one at the moment is they’re trying to exploit known software or application vulnerabilities, so they will look for systems that haven’t got the latest patches on them that means that they can get access without needing any of the things I’ve just mentioned in terms of account credentials, etc. and they might do that by looking for old legacy systems. You know, you'd have heard of the ‘Wanna Cry’ malware that went around the NHS and part of that was because there were vast swathes of the NHS system that still ran on Windows XP at the time, which was a very old application or operating system at that stage, which hadn’t been patched for certain security updates.
They’re also looking for vulnerabilities that are not known yet. So the ones that haven’t been patched, they will be looking to exploit vulnerabilities, in particular in operating a systems, whether that's on a server or a device, to allow them access to be able to encrypt files within that system.
And a lot of these tactics aren’t necessarily targeted at particular businesses. They might be, but some of the malware will just circulate around, you know, it will be attached to an email or behind an email link where it's just looking to get to absolutely anyone that it can do in the hope that there will be someone who's willing to pay a ransom behind it. And, you know, if you spread that far and wide enough, you might catch a fish.
Yeah I was going to say, there's obviously platforms out there that lots of people have - either personal or business access to that, I suppose, if you find a vulnerability, you just get in and you can kind of roam around and see what you find?
Carl: Yeah. And I think, Fran, we’ve found with a couple of clients that they’ve been subject of a phishing attack, so they’ll have given up access to their password and then the cyber criminals will use that password to get access to, say, a mailbox in the first instance but there may be an element of them trying to understand what the rest of the infrastructure is and then checking whether that password works against the other applications. So that's one way of getting in and then, yeah, they’ll look for, if you’ve got, say, Microsoft 365 and you’re running your emails on that platform, then they’ll be looking at what vulnerabilities does Microsoft 365 have and how can they exploit them.
Is there any particular sector that ransomware affects more than others?
Fran Tremeer: Every, you know, all businesses and organisations should be live to this risk and the impact that it could have on them. I think there are statistics that say financial services and health and social care are more at risk.
I mean, Carl's already touched on that with the WannaCry attack on the NHS and I think the statistics show that those sectors are particularly at risk because of the categories of data that they process, such as, you know, special category data, financial information, medical information in the case of health and social care but, you know, professional services, firms such as lawyers and accountants are also at risk. There's a lot in the press at the moment about the Allen & Overy ransomware attack and there have been previous firms of that nature subject to them, which the legal press has picked up on.
Hospitality businesses and other kind of large consumer facing businesses where they can get as much data as they want, these are probably the most at risk, but I think all organisations should be vigilant.
Carl: Yeah, just to add to that, I think if you look at where...not entirely sure if they’ve actually paid the ransoms or not, but if you look at where they get raised in the press, there's obviously been things recently where, say, MGM, the big gambling company in Las Vegas or, well, and elsewhere in the US, they’ve had an issue where they were subject to ransomware and it took down the whole of their casino floors in terms of running slot machines etc. and access to their hotel rooms and all sorts of things. So I think it's anywhere where there's particularly sensitive data.
As Fran said, obviously lawyers and accountants hold a lot of confidential information about their clients that they'd be very keen to protect but it's also those who are processing large numbers of transactions, whether they’re small or large, as in financial transactions and anyone who's got a lot of consumer data, because, you know, the reputational damage that the hackers can cause by making those businesses tell their customers about the hack is obviously much more likely to yield significant ransoms to get access back to the information.
I mean, this…this was one of the things that came out of the recent technology campaign that RWK Goodman did, which is it can affect any business and it's more so a question of when and not if. And I mean a side note as well but I think there’s more and more elements of businesses are trusted with technology. So for example, you mentioned hotel room keys there, Carl, is there going to be more opportunity for people who are conducting these kind of cyber crimes to to exploit different things?
Carl: As always, technology is both a blessing and a curse in the sense that, you know, let’s say I go to a hotel in Las Vegas, and I don’t want to stand in a line to check into the hotel room. They’ve now got apps that allow you to check in online, the key comes onto your phone, sits in your phone's wallet, and you just go up to your room and in you go, which is great until it doesn’t work or someone else gets access to your room or checks you in online before you get there. And you’ve got to solve that problem when you get there.
So yes, the more technology we have and the more of it that's cloud based, the greater the risk posed by cyber criminals trying to disrupt that process is going to be.
Liam: Indeed. This is what the last Mission Impossible film was about. I don’t know if you’ve seen it. Anyway…
What does the NCSC, the ICO and the Law Society guidance say on this question?
Fran: So the National Cyber Security Centre, the Information Commissioner's Office and the Law Society have released some guidance or drafted a joint letter, I think it was, in the summer of 2022 which said that solicitors should not advise clients to pay ransoms. There are various reasons for this and I think we are going to talk about the pros and cons today.
One of those is there's no guarantee that the cyber criminals will keep to their word. You’re negotiating with criminals, how do you know if you pay the ransom that they are going to give you your data back, or give you a decryption code to gain access to it. I think I would stress that, you know, this letter is guidance that's been released and I think in lots of situations there are good reasons not to pay the ransom, but it's not a hard and fast rule and the decision is not an easy one. Something else that we see where ransoms have been paid is where there's a repeat extortion. So you’re asked for £100,000, you pay up. The cyber criminals are happy that they’ve got £100,000 out of you. They now want £200,000 out of you before they give you the decryption key. And where does that end? And it, you know, paying the ransom buys into the practice and encourages cyber criminals to continue this type of activity.
Carl: Yeah, quite. And just to go on to the sort of double extortion problem. So let’s say you’ve had the ransomware attacked and you…attack and you’re completely locked out of your system. They start by saying, well, we’ll…you pay us £100,000 or whatever the figure might be to unlock that information, they either then partially unlock it, don’t unlock it at all, or unlock it entirely and then say, oh, and by the way, we’ve got a copy of all this data, and if you don’t pay us another £100,000, we’re going to publish that to the world. So…
Fran: And use it anyway, yeah.
Carl: Yeah, we’ve solved one problem for you, but we’ve not solved the next. And it's, you know, as much as the guidance that's been provided from all of those organisations and the police and Home Office and others would give you the same answer if they were asked, that you should never pay a ransom. It's not as straightforward a decision for a business as that guidance would lead you to believe because if you are faced with a scenario where you have got no way of operating your business because all of your systems are locked down, because there's ransomware that is sitting and preventing you from accessing your systems. Well, what are your choices if you’ve got no means of getting that access to that data otherwise? (We’ll, kind of, come on later onto how you can take measures to do that)
Well, you’re left between a rock and a hard place, which is pay the ransom to get access back and there's a risk that that won’t work but then at least you can continue to run your business and start the process of, sort of…well trying as far as you can to fix or mitigate the problems that have arisen, or you sit there and either look for a technical solution, which makes…may take some time to develop and in the meantime, you can’t do anything. So you’re losing money either way.
You know, for lots of businesses, if they couldn’t run for a week, two weeks, that is going to cause a significant cash flow issue down the line, because you won’t be able to deliver anything to your clients or customers. So it's not as clear cut as saying, well, in no circumstances shall we pay this. It's a really difficult decision that needs to be made on the facts of the case as they present themselves.
But, yeah, I kind of see why, certainly government backed organisations or public authorities want to discourage the practice because, you know, what are cyber criminals looking for? They’re looking to get as many ransoms as they can. If there becomes a practice of just paying them to get the, you know, things are locked or to stop information being published well, they will just continue to do it, because in reality, law enforcement isn’t very good at tracking down these cyber criminals because they’re all over the world, they’re using very sophisticated methods to protect their identity from anyone who's trying to track them and even if you do identify them, they may be in jurisdictions where the government or law enforcement agencies aren’t realistically going to take any action. So that's a potential problem.
Fran: In these instances, you know, we’re talking about cyber attacks here, but these are also forms of data breaches and when you are a victim or have been subject to a data breach, it's all about what can you do to mitigate the breach particularly from the Information Commissioner's Office perspective and I think in the instance of paying a ransom, it's not a mitigation measure.
So if you pay where you’ve lost control of the data, even if you do get it back, which we’ve already touched upon is not always a guarantee, the ICO's guidance is that you should still consider it to be compromised. Someone has still had access to it. Someone has still potentially retained a copy of it to release elsewhere. So paying the ransom to make sure that you can get it back doesn’t actually necessarily give the data any greater protection.
Carl: And equally, if you, you know, you pay the ransom to get access back to your own systems and they unencrypt it. You have still had a data breach at the point it was inaccessible, even if it's for a short period of time and the ICO, in particular, have been very clear that they won’t consider that either a mitigation measure or an appropriate measure to restore the data for the purposes of then looking at that breach and working out whether there's any enforcement action that they will take as a result.
You know, there are practical steps, for instance, that you can take that they would suggest over and above paying the ransom, you know, things like making sure that you are trying to restore from backups or create new versions of your systems and restoring data that way.
OK, can you give us ten things that people can do to kind of mitigate the risk of a ransomware or cyber-attack of this nature?
Carl: From a data protection point of view, and this is also sort of good general cyber security hygiene, there are a number of things that you can do to try and, not necessarily mitigate the problems that this cause because as you say Ed, it is very much a case of when and not if, but that you can do to reduce the risk that it’ll happen in the first place and in the event that it does happen, that you have an alternate way of getting access back to your systems without having to pay any ransom.
You know, the key problem is, if you are subject to a ransomware attack that you simply can’t run your business because there's nothing else you can do.
So from a data protection point of view, that's basically introducing technical and organisational measures to prevent unauthorised access to your personal data but obviously here we’re talking about personal data from one hand in that that's where enforcement action is most likely but this is just your general business data. And if you protect the personal data, you’ll have the knock-on effect of protecting all your other business data at the same time. And there isn’t a sort of one simple magic bullet that you have to do to put this in place. It will depend on your own IT infrastructure, but can give you a, sort of, overview of the key things that people ought to be doing.
So the first thing is making sure that all the devices that access your business network are secure, you know, making sure that they are patched and up to date, they’re using the latest software and they have got appropriate, sort, of anti-malware, antivirus software installed on them.
The second thing that often comes up in this is just simple password hygiene. I would hate to think if you did a survey, how many people use the same password for every single thing they have access to, whether that's in a corporate network or not. You know, having unique passwords is all very well and good, but how do you manage that. You might need to look at solutions like password managers, so you can have completely random passwords for every different service that you need to log into.
I think there will be some movement over the next few years towards moving away from passwords. There's started to take adoption of Passkeys which would basically restrict access to certain services to specific devices that have been authorised but in the meantime, on top of just making sure your passwords are good, implementing good multi-factor authentication, certainly for any critical access, but I'd argue that it needs to be for every single service that you’re signing on via the internet, albeit that there needs to be an element of training within that, because I think, Fran again, we’ve seen instances where people have obviously the password has been compromised but also the multi-factor authentication has been compromised as well.
Fran: Where devices have access to the authority, the authorisation application unexpectedly, for example, or something like that.
Carl: Yeah, or simply that people don’t exercise enough security when a sign in request comes in on their phone. You know, typically it's a phone that would be used as the second authentication device. I woke up this morning and had a sign in request on my work phone that I thought, oh, that was two hours ago. I was fast asleep at that point, but it turned out Outlook was trying to log in on my laptop, so it was a genuine request. But if it hadn’t have been, it would have been very tempting just to click yes and it would have got signed in. So that…users exercising caution is going to be useful.
In terms of other things you can do, certainly you need to have proper firewalls in place that limit the traffic that comes in and out of the internet into your network and have them properly secured and up to date, that’s something that your IT specialists would need to help you with. Making sure you have things in place like network isolation, so that only, you know, the things on all the devices and servers etc. on your network only talk to the other bits of the network that they need to, so that if malware gets into one device, it doesn’t spread easily across the whole of your infrastructure. In terms of just securing the data, you know, obviously making sure it's encrypted both at rest and in transit will help, making sure that you have secure remote access. So any point of ingress into your network has got proper security on it, will definitely help.
One thing that I think very often gets forgotten in this is making sure that you have an adequate threat and risk assessment in place, looking at where the potential points are, and then addressing the risks that are identified in that. And that might be through doing things like penetration testing to work out where there are open ports on the network that don’t need to be there, and making sure then you action those risk assessments to plug any gaps. In terms of backups and disaster recovery, obviously you need to have backups, but you also need to make sure that they are capable of being restored. It's all very well and good having everything backed up but if you can’t actually get it back, it doesn’t really help.
So making sure you’re testing those backups on a regular basis and running through what happens in the event of a data breach and how you’re going to react to it. I think Fran will come on later onto what happens when you have a data breach, but making sure you’ve planned ahead of time and practiced that plan, will make a lot of difference to reacting to it quickly. In terms of backups, this is probably oversimplifying it, but the very basics of 3-2-1 of backup, which you’ve got three copies of the data on at least two different devices, one of which is offsite and separate from your network, is massively important because if something happens in your infrastructure and you’re then prevented from accessing the backup that you’ve got, and it's not on a separate set of infrastructure, that will probably cause delays in getting around it, and you may not be able to get your data back at that stage.
And then, you know, implementing standards within your organisation can help. So things like Cyber Essentials and ISO 27001 will just make sure that you’ve got the basics covered and lead you in the right direction when it comes to securing your data and making sure backups etc. are accessible.
So what do businesses need to do when a cyber attack does happen?
Fran: The, kind of, key things to…you should be thinking about, obviously, if you’ve got your cyber incident response plan in place.
Number one, call the experts. When I say experts I’m talking about, kind of, various sector specialists. So forensic and cybersecurity specialists to help you deal with the, kind of, IT and tech situation on the ground. Legal advisers, insurers, any PR agent that you know and trust and I think having those people designated already is really important and should form part of your cyber response plan. Not calling around if it happens to you, to work out who you should instruct. Practical considerations with that are if your whole system is down, how will you communicate with them securely. So, you know, have some contingency plans in place. Cybersecurity experts might be able to assist you to isolate your network, remove access, potentially to avoid paying the ransom, obviously, it depends how sophisticated the attack is, but, you know, they are really key to have on the floor. And they’ll also know about the trends and operations of different cyber groups. You know, these cyber criminals are quite, I think proud, I would use the word proud, to say they often claim credit for attacks of this nature in the press so that people know that it's them that's orchestrated the attack.
Number two, is find out how much you…find out as much as you can about the scale of the attack. So I think we’ve already touched upon this point, but can your business physically function on the ground without access to your systems. Do you have backups in place? How far have the backups been affected? Consider the categories of data that have been impacted and the number of individuals affected. So in that instance, we’re talking about names, addresses, telephone numbers or are we talking about confidential medical information, confidential information about legal or accounting advice, bank details, ID information for your staff, those types of things. And that will kind of feed into the strategy that you are going to use to respond to the attack. And I think one of the key things that people often forget to do when they’re in a crisis like this, is to keep records, you know, keep assessments and a timeline of everything that you’re doing.
Number three, is to assess your reporting obligations. So in the event of a data breach, I’m sure most organisations will be aware that they have 72 hours to report any reportable data breach to the Information Commissioner's Office. So that decision has to be made quite quickly. You should also consider reporting to the National Cyber Security Centre and potentially the police in the event that there is a criminal act, but also it would depend on what sector you are operating in. So, for example, financial organisations may need to report to the Financial Conduct Authority. Health and social care providers may be required to report to the Care Quality Commission. And there may be other kind of professional bodies or regulators, depending on which sector you’re operating in.
Number four, is to consider public relations. So if the press…if it's a high profile attack, for example, if the press come knocking, what are you going to say to them. Have you got a prepared statement? How are you going to brief your staff? You know, how do you know who the press are going to call? They might call someone lower down the ranks who they think might say more about it and not be quite as prepared as those on the board. So, you know, make sure that everybody is briefed in terms of what to say to the press, but also to customers. Obviously, if it becomes widespread and you don’t have access to your systems and clients are phoning and emailing, then you need to have, kind of, an agreed strategy for dealing with your customers to ensure there's as much mitigation to the reputational harm as possible and I think, kind of, there the key is transparency and making sure that everybody knows what's going on. If the system is so badly affected that you can’t get access to your clients’ files, for example.
Fifth option, is potentially Court action for an injunction. I’ve seen, other law firms actually, who have been subject to a ransomware attack, issue Court proceedings for injunctive relief against persons unknown. Obviously, you don’t know who the hackers are and secure a High Court injunction for preventing and prohibiting the, kind of, continued release of the information that's been affected on the internet. My, kind of feeling is those may be difficult to enforce, but, you know, they have been granted in various cases that are reported on the internet quite widely.
Carl: Yeah. I think part of the reason for getting an injunction is potentially to stop people who might come into possession of that information, not necessarily the hackers, but others to whom it might be disclosed from then further publishing it, given it's been obtained illegally.
Fran: Yeah, it's about republication on whatever other platforms are being used to do that.
Carl: But again, if you, you know, if you are, say, a law firm and you’ve got a duty of confidentiality to your client, you’ve already got a big problem with someone having got access to the information, but you don’t want it to be a bigger problem by your client's confidential information being spread across the world by others who obtain it illegally. So it's, yeah, it may well be worth considering where it's particularly sensitive, or there is a bigger duty of confidentiality that you need to preserve.
Fran: Yeah, which makes sense because most of the organisations I’ve seen obtain injunctions of that nature are solicitors. So.
Carl: Yeah, that makes sense. And also, you know, from your point of view, Fran, the dispute resolution team wants to do something to do it and what can they do. They can go off to a Court and get an injunction to help out.
Fran: Yeah. And I think, you know, it's important to, kind of, stress that injunctions attract, you know, if you breach an injunction, it's Contempt of Court, you know, so that's imprisonable by a…it's an imprisonable offence and potentially also you can be subject to a fine as well. So, you know, if you are republishing the information that the hackers or the cyber criminals have obtained, then you need to be aware of that risk to you. And if you are put on notice then it's the, kind of, weight that attaches to the breach of an injunction, I think should encourage people to take that republication or use of the data seriously.
So time is marching on. So I just wanted to see if there was anything else that you have discovered through your work that people might need to know about with regards to ransomware attacks?
Fran: I think the notion of ransomware as a service is quite an interesting one. So this is an illegal business model whereby developers of ransomware are detached from the actual attackers themselves, and they request that any profits made through the attack are shared with them. And these are quite common because they are conducted by, kind of, less experienced attackers. So there's a lower barrier of entry and therefore they’re easier to carry out.
So I think, when I was looking at the cyber security survey that the government carried out this year, interestingly, money paid as a ransom was actually the least likely outcome of a cyber attack. And…but to counter that, 90% of organisations that did pay a ransom in 2023 did get their data back. Higher up on the list of, kind of, outcomes of ransomware attacks or cyber attacks generally, was money actually being stolen from the organisation and also a permanent loss of data. So that might be a trend where the ransom is not paid.
Carl: Just on the, sort of, ransomware as a service. It's interesting that you’ve got developers who are obviously very skilled in creating malicious software and are now looking to profit from it, not through their own efforts, but by the efforts of others. So they’re, I guess, trying to de-risk the situation themselves because they’re not the ones using the software and therefore not making themselves known to the outside world to do so. But yeah, it'd be interesting to see how many of those are actually getting paid what the licence fee due is. I can’t imagine there's too much of a code of honour amongst criminals. But yeah, the other thing to mention on paying ransoms is, you know, again, it's not as simple as just paying the ransom and there isn’t any risk attached to you personally or the business that's paying the ransom.
So often cyber criminals are based in jurisdictions in other parts of the world. A lot of it is being used as proceeds for terrorist financing or other means. So one thing you ought to try and check as far as is possible and I appreciate that you probably don’t know who the hackers are, but if you can try and work out if there's any chance that they are linked to terrorist financing or on a sanctions list because if you make payments to those people and they are on those lists, then again, you would be committing a criminal offence by making the payment. It may be impossible to actually work out in practice but you ought to think carefully and make sure you’re comfortable with the risk before you make the payment, rather than just ignoring the issue and finding out later that you’ve done something you oughtn’t have done.
Fran: Yeah, and I think your bank, you know, an organisation's bank is probably going to be asking questions about payments of that kind of level because, you know, we’re talking significant sums. And if they don’t know, the recipient of the money is not on the list, you know, then your bank might ask questions, how are you going to assure them to make the payments so that you can…you can get access to your systems again.
Carl: Yeah. Well, true. Although I suppose it will be the payment to the probably cryptocurrency exchange from which you buy the cryptocurrency that will be what the bank will be looking at, which in itself hasn’t necessarily got anything dodgy about it. But ransomware payments are usually demanded in cryptocurrencies of some description. I think, Fran, you said you'd had a sort of recent case where they weren’t demanding it in Bitcoin any longer, because they are using other cryptocurrencies that probably have even less scrutiny around them than Bitcoin does. You know, one of the steps that a business might need to take in paying the ransom is working out how to acquire the relevant cryptocurrency to pay the ransom in. And yeah, that will, at that point, your bank may well question what that payment is, because it will almost certainly be an unusual payment from the bank's profiling point of view.
Fran and Carl, thank you very much for your time.