UK Urges Organizations Not to Pay Ransomware Payments
The UK ICO and NCSC issued a letter to UK lawyers stressing that paying the demands of ransomware actors is not advisable.
As groups like Conti, Black Cat, and Lockbit have shown over past few years, ransomware isn’t going away, nor - as much as defenders would like it to - is it really slowing down.
While the U.S. government has mostly been resolute in its stance that organizations not pay a ransom - there's no guarantee you'll get your stolen data back or regain access to your network - the guidance slightly differs depending on where you reside in the world.
In the U.K. last week, two organizations, the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) reiterated that ransomware ransoms not be paid. In a joint letter written to the Law Society of England and Wales, the independent professional body for solicitors there, both organizations asked the association to remind its members not to pay the demands if they're hit by a ransomware attack.
Apparently, the impetus of the letter stems from the fact that firms in the region have been paying ransoms under the impression that it’s the right thing to do and can spare them from having to interact with the ICO.
That’s incorrect, as the ICO and NCSC wrote:
“In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay. It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case,” the two parties write.
"Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data," they added.
Organizations who do wind up paying will not see a reduction in penalties if there's an ICO enforcement action. Instead, the ICO stressed that it would view organizations contacting its office and cooperating with NCSC on an investigation, as positives, however.
The ICO used the letter as an opportunity to update its guidance on ransomware and data protection compliance. In it, the group - U.K.’s data watchdog - provides tips on protecting personal data and gives insight on what necessitates reporting a data breach, both to the ICO and to law enforcement.
Similar to the Cybersecurity and Infrastructure Security Agency’s Stop Ransomware microsite, the NCSC also has a “ransomware hub” that collects all of its guidance in one place, too.
The letter comes a few months after Jen Easterly, the director of CISA, warned the UK that it could be hit by a 9/11 style cyberattack if security services there fail to see the "magnitude of the threat" they face. Steve Barclay, the Chancellor of the Duchy of Lancaster, echoed those sentiments, driving home that one of the biggest threats facing the country is a large scale ransomware attack.