Advertisement

Stop paying ransoms to cyber-hacking gangs, businesses urged

Cyber hacking gangs - boonchai wedmakawand
Cyber hacking gangs - boonchai wedmakawand

Businesses must stop rewarding criminal gangs of cyber hackers by paying ransoms, say Government security and data chiefs in an unprecedented alert to industry.

In a letter seen by The Telegraph, the head of the UK’s National Cyber Security Centre (NCSC) and Information Commissioner warned businesses that they risk “incentivising” further damaging attacks by “malicious” actors by meeting their ransom demands.

The move follows a sharp rise in ransomware attacks in which gangs embed malware in a firm’s IT systems encrypting their data. They then demand a ransom for the decryption key or return of the information if they have extracted and stolen it.

In their letter, John Edwards, the commissioner, and Lindy Cameron, the NCSC’s chief executive, said they were alarmed at the increase in recent months of such attacks, with significant sums of ransom money being paid by firms.

They said the trend appeared to be based on a mistaken belief by the companies’ legal advisers that paying a ransom could protect the stolen data or result in a lower penalty from the Information Commissioner for the data breach.

Ransom payments do not ‘mitigate risk to individuals’

However, they warned that although the payments were not unlawful, “law enforcement does not encourage, endorse nor condone the payment of ransoms.

“Payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”

They warned businesses that “for the avoidance of doubt” the information commissioner would not consider ransom payments to criminals as “mitigating the risk to individuals.”

It would also not reduce the penalties companies faced if it was found they were to blame for the hack, they said. The commissioner has powers to fine firms up to four per cent of their global turnover.

Ransomware attacks account for around one in 10 of all data breaches worldwide, and doubled in frequency last year, according to a report by Verizon on data hacks. More than a third of global companies said they had been a victim of a ransomware attack in 2021, according to one study.

‘Contrary to public interest’

Mr Edwards said cyber crime was costing the UK billions of pounds and paying ransoms not only “doesn’t accord with my view of the law” but was also “contrary to the public interest.”

“It is very much going against my expectations of best practice and will simply prop up the ransomware business model and reward those people,” he told The Telegraph.

“Why on earth would you believe that these criminals who have just hacked and locked your system and stolen your data would honour a commitment to return it and not retain a copy or deposit it somewhere on the dark web?”

He said typically off-the-shelf hacking equipment could be used to encrypt and lock companies’ systems before they received a message or email demanding payment of £100,000, for example, to unlock them.

In some cases, the data was stolen and dumped on the dark web with the victim sent a link to it “as a means of effecting leverage,” said Mr Edwards.

The letter has been sent to the Law Society. Companies are told that if they fall victim to a ransomware attack, they could be required by law to report it. It said the NCSC would provide support to mitigate the damage, and learn lessons from the hack.