Businesses urged not to pay cyber extortionists as authorities claim to have evidence of increased ransomware payments.
In a joint letter to the Law Society, the National Cyber Security Center (NCSC) and the Office of the Information Commissioner are warning lawyers who may have advised their clients to pay.
It follows cybersecurity experts from the UK, US and Australia earlier this year Attention of a “growing wave of increasingly sophisticated ransomware attacks” that could have “devastating consequences”.
The joint letter states that while ransomware payments are “not exceptionally illegal”, those who pay them “should be mindful of the relevance of sanctions regimes (especially those related to Russia)” when considering making the payment.
The United States sanctioned in December 2019 any financial transaction with a Russian cybercrime group accused of having work with Russian intelligence to steal classified government documents.
Despite the fallout from the Russian war in Ukraine – in one case disconnect 5,800 wind turbines in Germany – the NCSC claims to have detected no increase in hostile activity targeting Britain during the conflict.
The companies have, however, been warned that there is an increased level of threat from cyberattacks due to the conflict which is likely to be here ‘for the long haul’.
NCSC chief executive Lindy Cameron said: “Ransomware remains the biggest online threat to the UK and we do not encourage or condone the payment of ransom demands to criminal organisations.
“Unfortunately, we have seen a recent increase in payments to ransomware criminals and the legal industry has a vital role to play in helping reverse this trend.
“Cybersecurity is a collective effort and we urge the legal industry to work with us as we continue our efforts to fight ransomware and keep the UK safe online. »
Mrs Cameron previously warned that the challenge that ransomware gangs posed to law enforcement was “acute” as “criminals responsible often operate beyond our borders, increasingly successful in their efforts”.
“We expect ransomware to continue to be an attractive avenue for criminals as long as organizations remain vulnerable and continue to pay,” she said at the time.
Although there have been arguments in favor of criminalizing the payment of ransoms, this poses a number of additional risks, such as providing criminals with an additional factor that they could use to extort their victims.
John Edwards, the Information Commissioner, added: “Engaging with cybercriminals and paying ransoms only incentivizes other criminals and will not guarantee that compromised files will be disclosed.
“It certainly does not reduce the scale or type of ICO enforcement action or the risk to those affected by an attack,” he added, responding to suggestions that some lawyers have told their customers that paying the criminals would be considered a gesture. to protect user data.
“We have seen cybercrime cost UK businesses billions over the last five years,” the commissioner said.
“The answer to this must be vigilance, good cyber hygiene, including keeping proper backup files, and proper staff training to identify and stop attacks.
“The organizations will get more credit from these arrangements than by paying the criminals.
“I want to work with the legal profession and the NCSC to ensure companies understand how we will review cases and how they can take practical steps to protect themselves in a way that we will recognize in our response should the worst happen. . »