Due diligence ‘vital’ in ransomware cases

In the event of a ransomware attack would you know what to do? If not, it could prove very costly. Ransomware is now such a serious threat that a global coalition of technology companies and law enforcement bodies is calling for ‘aggressive and urgent’ action to deal with it. Microsoft, Amazon, the FBI, and the UK's National Crime Agency have joined the Ransomware Task Force in giving governments nearly 50 recommendations. 

We will come on to consider what you can do to protect your business but first to explain the problem. Ransomware is a form of cyber-attack which involves hackers installing malicious software onto computer systems to prevent organisations carrying out everyday operations or accessing data or other assets. The organisation is then prompted to make a payment to the hackers to bring about an end to the attack. Martin Kelterborn is a ransomware victim who spoke to the BBC about the attack on his business:

BBC report

We have been helping a number of clients to prepare for a possible ransomware attack. Andrew Sackey and Stuart Davey have written about this for Outlaw flagging the exponential growth in this problem - there were nearly three times as many ransomware incidents in the UK in 2020 than in 2019. They make two key points. First, they say they organisations which have taken steps to consider cyber risks upfront are best placed to respond when they happen. Secondly, it is critical that before any ransoms are paid to undertake what they call ‘specialist compliance due diligence’. That’s because although the payment of a ransom is not of itself illegal, there is always the possibility that the payee may have links with criminal activity which could expose payors to the risk of potential prosecution. So how could that situation arise for companies in this country? I phoned Andrew Sackey to find out:

Andrew Sackey: “Although in this jurisdiction it is not unlawful to make a cyber-ransom payment, so to someone, for example, who has put malware on your system, it is certainly prohibited if you pay those monies over to somebody, some individual or some entity, who is either on a sanctions list or on a terrorist list or on any of the other sort of composite lists that specialist law enforcement agencies keep and the test for this is do you have reasonable grounds to suspect that that's where the money goes? Now, most people say, well, we don't know where the money is going because this cyber threat actor is entirely anonymous, that's why they're plying their trade, but the fact of the matter is that the nature of the criminal attack points to who might be perpetrating it because there are markers that say this type of malware is most often used by this type of group, this type of malware is favoured by another group. So because these databases exist, it is reasonable say law enforcement, that you have to make use of those before you make the ransom payment. So you can't merely turn a blind eye, you can't merely proceed on the basis that they haven't signed their name to the ransom request, you've got to do really quite specialist due diligence on these lists, which are constantly evolving and constantly changing, to give yourself the best comfort that you don't have reasonable grounds to suspect that your money is going to prohibited place because the sanctions for breaching that, as you can imagine, in in terms of counterterrorism and counter sanctions work, are very significant, indeed, from a criminal perspective. So there is work there that needs to be done before payments are considered."

It is worth mentioning that at the end of last year Pinsent Masons launched a digital cyber-attack response platform called Cyturion. It’s designed to help clients develop a response plan – so setting out what to do, who does it and how they do it. If you would like more details about that we recommend reading David McIlwaine’s article on Cyturion which is on screen there for you. You can find that on the Outlaw website.