The number of businesses paying a ransom following a ransomware attack is going up and the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) are asking solicitors to remind their clients that paying up won’t keep their data safe.
In a joint letter sent to The Law Society, the NCSC and ICO say there’s been a rise in ransomware payments and that in some cases solicitors “may have been advising clients to pay” ransoms in the belief that it will keep the data safe or result in a lower financial penalty from the ICO. The Law Society is the professional association for solicitors for England and Wales.
“In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay.
“It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case,” the letter from the NCSC and ICO said.
Both agencies have said that this isn’t the case, and that not only is paying the ransom not condoned, but that paying just encourages cyber criminals to conduct more ransomware attacks.
SEE: Ransomware: Why it’s still a big threat, and where the gangs are going next
The letter also issues a reminder that paying the ransom isn’t a guarantee that data will be returned. That’s because, even if an encryption key is provided, it may not work properly. There’s also no guarantee that cyber criminals will keep their word and delete data stolen as part of a ‘double extortion’ attacks designed to intimidate victims into paying.
“Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations. Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend,” said Lindy Cameron, CEO of the NCSC.
“Cybersecurity is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online,” she added.
And the ICO has warned that paying a ransom to retrieve data isn’t something that will reduce potential financial penalties – in accordance with GDPR – for businesses which suffer a data breach due to a ransomware attack.
“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack,” said John Edwards, the UK Information Commissioner.
“We’ve seen cyber crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals,” he added.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The letter to The Law Society issues a reminder that the NCSC “provides support and incident response to mitigate harm and learn broader cyber security lessons” and that victims of cyber crime are urged to come forward for help resolving a cyber incident.
“We do not advise members to pay ransoms, nor suggest that is what they should advise their clients,” a spokeperson for The Law Society told ZDNet.
“We provide advice to our members about the steps they should take to meet their obligations to keep their businesses cyber secure through our Practice Notes, regular updates on our website, and events, and we promote the helpful resources and guidance provided by both the NCSC and the ICO in doing so,” they added.
The NCSC has previously issued guidance on how businesses can protect themselves from ransomware attacks – like providing users with multi-factor authentication (MFA) and swiftly applying security patches – and what to do if they do find their network compromised. ZDNet has approached The Law Society for comment.
MORE ON CYBERSECURITY