Ransomware: To Pay or Not to Pay - sounds rather like a dash of Shakespearean theatrics. But it is not so simple! Ransomware attacks are a force to be reckoned with and are carried out by sophisticated criminal organisations. Perhaps best described as a reign of terror, leaving in its wake unimaginable consequences. Sounds now a bit like the horror movie, Dracula. But perhaps before we get into all the scary stuff, let’s take a step back and tell you what Ransomware is all about.
Ransomware is a type of malware attack in which an attacker locks and encrypts the victim’s data or important files and then demands large sums of money to unlock and decrypt the data. To cut through the technical verbiage, the best description we have come across for ransomware can be best described as a profit-motivated crime. It is a sustainable and lucrative business model for cybercriminals and puts every business using technology at a risk.
Ransomware attacks have a crippling effect, striking at the very core of a business bringing it to a grinding halt. In instances where access to systems and data are critical in terms of banking, healthcare, or even public services, the impact is severe. With the threat of reputational damage following from service interruptions, potential loss of life, economic disruption and insolvency - businesses are often confronted with the question of: To Pay or Not to Pay?
This is by far not an easy decision and the answer is not coiled up in your traditional yes or no response, but, rather a matter of, it depends. Every situation is different and some analysts have suggested to make such a decision, it becomes important to tie the answer to business outcomes. In other words, if the business loss is worth rolling the dice on making payment.
The trend is that most companies will pay to recover their critical asset and would prefer to remain silent when possible. Part of the reasons for paying the ransom relates to costly downtime costs, revenue loss, reputational harm (loss of customer confidence), costs of recovery from the ransomware exceeds the ransom payment, and protecting data from being exposed.
The truth of the matter is that paying a ransom does more harm than good. Some very good reasons that have been proffered for why businesses should not pay a ransom include:
- It is a funding mechanism for hackers to carry out future and repeated attacks;
- There is no certainty that access to systems and data is restored after the payment of the ransom;
- It is a playing field to escalate payment, where hackers are renowned for and commonly seek another payment, the first in relation to the decryption key and second to ensure that the data is not released; and
- Payment of ransoms, in certain instances, is illegal because it may provide funding for criminal activities such as terrorism, human trafficking and child exploitation.
Ultimately, it is the very function of payment that begets more attacks and fuels the cyber organized crime “economy” and ecosystem. With the exponential climb in ransomware, the overall consensus is that a payment ban or prohibition should be legally implemented so as to positively improve the function of prevention, deterrence and disruption. The resultant effect is that the very basis for the existence of ransomware could be eradicated.
In the United States, cybercrime and in particular, ransomware has seen a lot of activity in a push for reform. Presently however, whilst some states are calling for an outright ban for public or state entities to pay ransomware payments, the official position is that private entities and/or citizens are only strongly discouraged to pay such ransomware demands.
The United Kingdom and European Union position is similar – there is no general law against ransom payments. However, similarly, across the board in the US, UK and EU, companies must be mindful of the potential risks of violating laws that are enacted in each of the jurisdictions relating to terrorism, anti-money laundering (AML) and/or countering the financing of terrorism (CFT) laws and initiatives. In general terms, a person commits an offence if he or she (a) provides money or other property, and (b) knows or has reasonable cause to suspect that it will or may be used for terrorism. Bearing this in mind, there is indeed a real possibility of any ransomware payments being made to cybercrime groups or individuals following a cyber attack which may be associated with natural or legal persons, entities or bodies that are involved in terrorist, AML and CFT activities. Moreover, such cybercrime groups may even be listed in any sanctions list by OFAC, the Office of Foreign Assets Control of the US, or sanctions list of the EU or UK.
From a South African prospective, whilst we do not employ our own sanctions list (like in the US, UK or EU), one should still bear in mind that South African corporates are not completely immune from the risk that comes from making payments to sanctioned groups and/or entities. Having said that, even after the introduction of the Cybercrimes Act, the legal position in South Africa is similar to other jurisdictions, where no legislation makes it illegal per se to make ransomware payments.
With the introduction of the Protection of Personal Information Act 4 of 2013 (otherwise known as POPI or POPIA), parties in possession of data (i.e. private entities or businesses) have an obligation to notify data subjects of security compromises following a cyber security breach. Consequently, one cannot simply just pay a ransom demand with the intention that data is restored and operations merely resume as normal; but one is also faced with the consequences of any breach of the obligations arising out of POPIA notwithstanding any payment of ransomware.
Legally there is no prohibition from paying a ransom, but consideration should be given to whether such an entity or person to whom the ransom payment is being made is sanctioned or a terrorist group. In practice, the identity of the perpetrator might not be ascertainable thus it is important for businesses to conduct necessary risk assessments before making such payments and have regard to their data protection obligations to report data breaches to the relevant parties.
Instructively it is vital that corporates and organisations take preventative measures against ransomware attacks. Some general guidelines for corporates and organisations are to:
- Maintain encrypted backups of data offline and regularly test these backups;
- Have in place a cyber incident response strategy;
- Implement a cybersecurity user awareness and training program;
- Ensure antivirus and anti-malware software and signatures are up to date across the organization; and
- Assess and implement an audit on an organisation’s third party service providers to ensure that the third party providers apply the recommended cybersecurity practices.
Lined up with our summation on preventative measures- as the old adage goes, ‘prevention is better than cure’, and it is certainly better to prevent having to deal with the aftermath of a cyberattack than be faced with the dilemma of having To Pay or Not to Pay. Simple supply and demand is an easy way to incentivize a lucrative market for hackers. It perpetuates a toxic breeding ground for these criminals and emboldens them to carry on with their nefarious behavior.
In closing we have this to say: Paying a ransom request – is not advisable!
This article is authored by partner Rakhee Bhoora, senior associate Roy Hsiao and candidate attorney Caleb Mapatha.