Out-Law Analysis 9 min. read
25 Jan 2023, 4:25 pm
Ransomware attacks are increasing in volume, but there is evidence that regulators are losing sympathy with organisations that fall victim to such incidents.
However, while guidance has been introduced to help businesses understand what measures they should take to address ransomware risk, there are increasingly complex challenges they must navigate when engaging with those behind ransomware attacks and deciding whether to make a payment to recover access to systems and data.
The UK National Cyber Security Centre (NCSC) recognises ransomware as the biggest cyber threat facing the UK. That said, following an explosion in the volume of ransomware attacks on businesses in 2020 and 2021, the increase in cases in 2022 was more modest – perhaps as a result of cyber criminals being more focused on the Russia-Ukraine conflict than on ordinary businesses.
According to data published by the UK’s Information Commissioner’s Office (ICO), the proportion of personal data breach incidents being reported as ransomware held firm at 7% of cases across both 2021 to 2022. Comparing the ICO’s data for the first quarter of 2022 with the second quarter of 2019, however, shows a 339% increase in reports being related to ransomware over the period.
This increase is consistent with the rise in ransomware cases that the cyber risk team at Pinsent Masons have seen in our own work. In 2022, a ransom was demanded in 45% of all cyber incident cases that the team worked on, up from 31% in 2021, 16% in 2020 and just 14% in 2019. This trend perhaps reflects attackers taking a more targeted approach to the data they are exfiltrating – seeking data that is of value or sensitivity to the victim so that there is more reason to make a demand and more incentive on a victim to consider paying.
Ransomware will continue to be the number one threat in 2023: whilst organisations are making technological improvements in an attempt to be more resilient, ransomware attacks continue to provide rich pickings for attackers, with many victims still choosing to pay the ransom when faced with critical business interruption or reputational risk as a result of an attack.
We have observed increasingly aggressive tactics employed by those behind ransomware attacks, including calling members of staff or contacting data subjects directly to inform them that their data has been leaked. This provides increased pressure on the victim organisation to consider paying the ransom demanded.
In March 2022, the ICO published guidance for organisations to help them understand the most common ransomware compliance issues it had encountered whilst conducting its investigations. At the time, the ICO highlighted the increasing number and severity of ransomware attacks and that cyber criminals are increasingly motivated by the prospect of turning compromised data into money.
The guidance focuses on eight issues.
SMEs should not think that, due to their size, they will not be the targets of ransomware attacks. Often, criminals take a scattergun approach, for example by sending thousands of phishing emails, with the result that any organisation can fall victim. Following guidance, such as the National Cyber Security Centre (NCSC) Cyber Essentials or NCSC 10 Steps to Cyber Security, is recommended.
Exfiltration of data is not the only area of focus. It is important to also consider whether there has been a loss of access affecting individuals, or the nature of access has put personal data at risk, or whether critical systems, such as payroll, have been taken offline or been otherwise impacted – either as a direct result of the attack, or as a mitigation step whilst systems are ‘cleaned’ or safely restored.
Exfiltration of data can increase the risk to individuals and the ICO notes that data exfiltration should be taken into account as part of a risk assessment exercise. However, whilst the occurrence of data exfiltration is an important consideration, account should also be taken of, for example, the effect of lack of availability, loss of control, whether restoration can be achieved in a timely manner and confidence in detection and monitoring controls.
The ICO recommend that where a ransomware attack has occurred, law enforcement should be notified. If law enforcement bodies request that notifications to individuals are delayed to assist their investigation, close liaison with both law enforcement and the ICO is recommended.
These are constantly evolving. The ICO points to frameworks such as MITRE ATT&CK, which provide a bank of tactics, techniques and procedures used to inform security teams in assessing what organisation and technical controls are necessary to address the risks.
The speed and ease with which an organisation is able to recover from a ransomware attack will depend on many things, but central to that will be the availability of recent data back-ups. To thwart recovery attempts, and therefore increase the potential to monetise the attack, those behind ransomware attacks will try and delete or encrypt back up data. As such, considering issues such as segregation of data, or offline copies of back-ups, is crucial.
Careful consideration needs to be given to the implications and challenges which can come from the payment of a ransom. Payment does not guarantee that information will be restored and deleted by the threat actor. If attackers have exfiltrated data, then an organisation has lost control of it.
Given the speed and nature of change of the tactics, techniques and procedures used by those behind ransomware attacks, regular testing and evaluation of systems and controls is important. This should include areas such as patch and account management.
In 2022, the ICO issued its first fines against organisations under the UK General Data Protection Regulation (GDPR) in respect of ransomware incidents.
On 10 March 2022, the ICO issued a fine of £98,000 against Tuckers Solicitors LLP. The law firm, which specialised in criminal law, suffered a ransomware attack in August 2020 when hackers gained access to systems and encrypted over 970,000 individual files, of which over 24,000 were court document ‘bundles’. The hackers published a small number of files on the dark web to evidence exfiltration, which included sensitive information such as medical files, witness statements and contact details for victims.
The case contained some learning points for other organisations.
For example, in issuing its monetary penalty notice, the ICO was critical of the lack of multi-factor authentication (MFA) on user remote access, especially where it was a cost-effective solution. The ICO considered its absence in this case had created a risk to personal data on the law firm’s systems.
However, forensic intelligence has emerged since the ICO’s decision that suggests a tool known as ‘EvilProxy’ is being used by cyber criminals as a means of successfully by-passing MFA. This is indicative of the speed with which attackers’ tactics change and presents a further challenge to data security.
It is also crucial that security controls include continual assessment to ensure that any necessary software patches or updates are applied. Tuckers had identified the need to apply a particular patch but took almost four months to implement it. The ICO pointed to guidance which recommends that critical vulnerabilities identified by software developers are patched within two weeks of the relevant patch release. Unless there is a rigorous process for identifying and applying patches, controllers will carry the risk of significant criticism if it is a factor in a subsequent data breach.
In the Tuckers case, an archive server where the court document bundles were held did not benefit from protective encryption. Had it been applied it would have added an extra layer of security to render the data unintelligible to the hackers. The ICO said Tuckers should have been encrypting archived document bundles.
The fine imposed on Tuckers was at the top end of what the ICO was able to apply under the UK GDPR. It constituted 3.25% of the firm’s annual global turnover, with the maximum fine available to the ICO in the case being a 4% fine. The decision clearly demonstrates the expectations that the ICO now have of controllers – if there are failings from what is perceived to be required around fundamental security controls, then enforcement is likely to follow.
In October 2022, the ICO fined construction company Interserve Group Limited £4.4 million in another ransomware case. The root cause of the incident was found to be a phishing email. A hacker compromised 283 systems and 16 accounts. They accessed four HR databases containing records of over 100,000 employees. No evidence was found of the data having been exfiltrated.
When announcing the fine, John Edwards, the UK information commissioner, warned businesses against internal complacency over cyber risk and said those that don’t regularly monitor for suspicious activity in systems or act on warnings, or that don’t update software and fail to provide training to staff, can expect similar fines to be imposed by the ICO. This is a stark warning, but a clear reminder of what any action list needs to include for organisations processing personal data.
Whether to engage with those behind ransomware attacks is not a decision any board will want to contemplate. However, in certain circumstances, it may be necessary to explore.
Money is the main motivation for many cyber criminals, so the more payment ransomware attacks deliver, the greater the incentive to continue them. However, some action is being taken globally to disrupt the business model.
Most notably, the Australian government is considering a proposal to ban cyber ransom payments in light of the Medibank incident in which around 9.7 million records were compromised and sensitive documents – including abortion details – published. Those behind the attack reportedly demanded payment of a dollar for each record.
In the UK, both the NCSC and the ICO have said they do not recommend payment of a ransom. In July 2022, the two bodies went further by issuing a joint letter to the Law Society of England & Wales, seeking to remind solicitors of their advice that the payment of a ransom will not keep data safe, nor be viewed as a mitigating factor when assessing the risk to personal data.
The letter serves to remind controllers that, if they suffer a ransomware attack, paying a ransom will not negate the requirement to notify the ICO and/or data subjects of any resultant personal data breach under the GDPR, nor third parties under any contractual duty to do so. Any assessment of risk in relation to these obligations is not to be influenced by payment of the ransom.
Often, though, the driver to pay a ransom comes from business continuity issues – securing a decryption key by ransom payment may be a necessary evil. However, there are legal risks to navigate when paying a ransom.
Paying a ransom carries risk to the payor, including potential criminal liability. The risk arises broadly from paying a sanctioned entity, or one which is engaged in terrorist activity. By paying, the payor may also fall foul of anti-money laundering laws. The process of paying a ransom is therefore complex and requires specialist and specific advice, which includes detailed due diligence to ascertain whether the payor might be construed as having any reason to know or suspect that those behind a ransomware attack has links to any sanctioned entities or terrorist organisations.
During 2022 there was a substantial increase in the number of entities that were subjected to sanctions, in response to Russia’s invasion of Ukraine. If a sanctioned entity is involved in a ransomware case, this will prohibit lawful payment of the ransom.
Fast-tracked to respond to global events, the Economic Crime (Transparency and Enforcement) Act 2022 was enacted in in the UK in March 2022. Its aim is to strengthen the UK's fight against economic crime – including sanctions breaches. As a result, for breaches of financial sanctions that took place on or after 15 June 2022, the Office of Financial Sanctions Implementation (OFSI) now has the power to impose civil penalties up to the greater of £1 million or 50% of the value of a relevant breach.
The fines can be imposed by the OFSI on a strict liability basis, meaning it is not necessary for OFSI to show that the relevant person had knowledge or reasonable cause to suspect that they were dealing with a sanctioned entity – the fact that payment has been made to such an entity would in itself be sufficient to trigger a civil monetary penalty.
Despite this, updated guidance issued by the OFSI states that the question of knowledge or suspicion remains relevant to its assessment of whether the issue of a civil monetary penalty is a proportionate response. Other factors include compliance systems, voluntary disclosures, cooperation, and the public interest. No civil monetary penalties have yet been imposed by the OFSI on a strict liability basis.