Ransomware surge reinforces case for ‘specialist compliance due diligence’

Ransomware attacks are surging and businesses need a response plan in case they are targeted. 

That is the message following publication of the National Cyber Security Centre’s 2021 annual review which found that there were three times as many ransomware attacks in the first quarter of 2021 than in the whole of 2019. It warns that the high levels of home working caused by Covid-19 means criminals are increasingly able to use ’off-the-shelf‘ malware to exploit unpatched software and weaknesses in IT systems to access the employer’s sensitive data.

Writing about this for Outlaw, Stuart Davey says businesses should prepare for ransomware attacks to increase further in 2022. He says: ‘The uptick in ransomware attacks and likelihood of their continued prevalence, serve as a stark reminder of the need for organisations to get cyber-ready.’ He says organisations will find themselves – out of nowhere – thrust into the complex world of managing a business-threatening ransom attack. In all cases serious consideration needs to be given not only to the commercial and criminal risk factors in whether or not to pay a ransom and engage with the attacker but also, whether or not there is a duty to report to organisations such as the ICO, other supervisory and regulatory authorities, the police, the stock market and the data subjects themselves.’ In other words, there is a lot more to this than simply paying a ransom.

Ransomware is a form of cyber-attack which involves hackers installing malicious software onto computer systems to prevent organisations carrying out everyday operations or accessing data or other assets. The organisation is then prompted to make a payment to the hackers to bring about an end to the attack. See for yourselves – one ransomware victim has been speaking to the BBC about the attack on his business:

BBC report

We have been helping a number of clients to prepare for a possible ransomware attack and, more generally, alerting clients to an issue that they may not have given much thought to. Andrew Sackey has written about this for Outlaw and he makes two key points. First, organisations which have taken steps to consider cyber risks upfront are best placed to respond when they happen. Secondly, it is critical that, before any ransoms are paid, the firm conducts ‘specialist compliance due diligence’. He says that’s because although the payment of a ransom is not of itself illegal, there is always the possibility that the payee may have links with criminal activity which could expose payors to the risk of potential prosecution. So how could that situation arise for companies in this country? I phoned Andrew Sackey to find out:

Andrew Sackey: “Although in this jurisdiction it is not unlawful to make a cyber-ransom payment, so to someone, for example, who has put malware on your system, it is certainly prohibited if you pay those monies over to somebody, some individual or some entity, who is either on a sanctions list or on a terrorist list or on any of the other sort of composite lists that specialist law enforcement agencies keep and the test for this is do you have reasonable grounds to suspect that that's where the money goes? Now, most people say, well, we don't know where the money is going because this cyber threat actor is entirely anonymous, that's why they're plying their trade, but the fact of the matter is that the nature of the criminal attack points to who might be perpetrating it because there are markers that say this type of malware is most often used by this type of group, this type of malware is favoured by another group. So because these databases exist, it is reasonable say law enforcement, that you have to make use of those before you make the ransom payment. So you can't merely turn a blind eye, you can't merely proceed on the basis that they haven't signed their name to the ransom request, you've got to do really quite specialist due diligence on these lists, which are constantly evolving and constantly changing, to give yourself the best comfort that you don't have reasonable grounds to suspect that your money is going to prohibited place because the sanctions for breaching that, as you can imagine, in in terms of counterterrorism and counter sanctions work, are very significant, indeed, from a criminal perspective. So there is work there that needs to be done before payments are considered."

On the subject of cyber security, Pinsent Masons has been carrying out its own research into the scale of the cyber threat. According to the firm’s Cyber Annual Report, ransomware incidents accounted for 31% of the cyber team’s caseload over the past 12 months, up from 16% in 2020. That is pretty much in line with the scale of incidents identified by both the UK’s National Cyber Security Centre and the Information Commissioner’s Office. We have put a link to that report in the transcript of this programme.

LINKS
- Link to Pinsent Masons’ Cyber Annual Report