Understand ransomware payment risks before incidents happen, says expert

Laura Gillespie of Pinsent Masons said that businesses that are not prepared for ransomware attacks risk acting in breach of financial sanctions or legislative provisions, or from otherwise being locked out from systems and data because they are not able to confidently act swiftly enough.

Gillespie was commenting after the UK government announced that seven Russian nationals it described as “cyber criminals” have been designated as sanctions targets, in action taken in coordination with US authorities. The designations have been made under standalone cyber sanctions regimes in both the UK and US.

In publicising the action, the UK government said the individuals “have been associated with the development or deployment of a range of ransomware strains which have targeted the UK and US” and that the action taken against the men, which includes freezing their assets and imposing travel bans, would be followed by further “coordinated action against international cyber crime”. It described ransomware as a “tier 1 national security threat”.

In its guidance, the OFSI warned that making ransomware payments to people or entities targeted by financial sanctions is prohibited and that breaching financial sanctions is “a serious criminal offence”, with imprisonment and fines among the possible penalties for non-compliance.  In June 2022, OFSI also gained the power to impose civil penalties up to the greater of £1million or 50% of the value of the relevant breach on a strict liability basis – that is, by virtue of the fact that a payment has been made to a sanctioned entity.

Businesses can apply to the OFSI for a licence that enables them to undertake activity that would otherwise constitute a breach of financial sanctions. However,  while the OFSI said it considers licensing applications on a case-by-case basis, it said it “ransomware payments are unlikely to be considered appropriate for an OFSI licence” and that businesses should consider seeking independent legal advice before applying. Obtaining a decision from OFSI on a license application also typically takes weeks and months, not hours and days, so even if OFSI did consider a licence appropriate in a particular set of circumstances, the timing is likely to be problematic in the context of making a ransomware payment.  

Andrew Sackey, also of Pinsent Masons, who specialises in corporate compliance, said: “Although UK government policy does not condone the making of ransom payments, there is no law which expressly prevents such payments where the right levels of diligence have been documented. However, as this development clearly underlines, there are a host of serious criminal and civil sanctions that may be breached if payments are undertaken without expert legal and technical advice." 

“Nobody wants to pay a ransom, but for those businesses that face the commercial necessity of having to engage with threat actors, this is an incredibly difficult and constantly evolving landscape to navigate,” he said.

The OFSI said businesses “should routinely consider whether sanctions might affect their transactions”, recommending that they assess their “own exposure and put due diligence measures in place to manage any identified or anticipated risks of breaching financial sanctions”. It said payment processors and other third parties need to have their own measures in place to address financial sanctions risk if assisting businesses that fall victim to ransomware attacks to make ransomware payments.

Gillespie said: “Managing ransomware risk is becoming more complex. Organisations that fall victim to ransomware attacks should seek specialist advise to help them manage their response to those incidents effectively – including to ensure that specialist advice is sought and comprehensive due diligence is carried out if they are contemplating payment of a ransom.”

“The OFSI guidance highlights that, beyond risks in relation to UK financial sanctions, facilitating a ransomware payment may breach the law of other jurisdictions. Businesses must therefore consider local law advice where incidents affect multiple jurisdictions and give thought to their cyber incident preparations in advance of an incident occurring, as starting this process in the heat of a ransomware incident could frustrate the timescale for payment,” she said.