Cybercrime

UK Warns Lawyers Not to Advise Ransomware Payments

The NCSC and the ICO have warned UK lawyers not to advise clients to pay a ransom to cybercriminals

In a letter addressed to UK lawyers dated July 7, 2022, the UK’s National Cyber Security Center (NCSC) and the Information Commissioner’s Office (ICO), have reiterated – with teeth – the official stance on not paying a ransom.

Kevin Townsend

July 12, 2022

The NCSC and the ICO have warned UK lawyers not to advise clients to pay a ransom to cybercriminals

From the law enforcement standpoint, the letter explains, “Law Enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position.”

The implicit warning is that sanctions against Russia could technically make payment of a ransom to a Russian cyber gang effectively if not actually illegal. Ignorance of the attackers’ nationality would be a dangerous tactic, since the NCSC specifically states that NCSC is part of GCHQ – and GCHQ, like the NSA, would know.

The law enforcement warning will only apply to companies with a presence in the UK – but other countries operating current sanctions against Russia might take a similar stance.

The second warning refers to the UK data protection regulator, the ICO. In setting regulatory fines, the ICO will normally consider actions taken to mitigate the risk of harm to individuals involved in a data breach. This does not apply to paying a ransom in the hope of recovering personal data stolen in a double extortion attack.

“For the avoidance of doubt,” says the letter, “the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”

In short, paying a ransom could leave a company open to charges of sanctions busting, while having no effect on any subsequent ICO enforcement. Given the international nature of GDPR and the UK’s current implementation of the UK GDPR, this would also apply to North American and other countries’ companies who pay a ransom to recover stolen European PII.

Written By Kevin Townsend

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Latest News

Click to comment

Dealing With the Carcinization of Security

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Marc Solomon

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Derek Manky

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George