Paying to unlock malware may not be the best approach for your business – and could be illegal

22nd November 2017

With hackers finding new ways to attack companies and consumers with malware, should you simply pay the ransom?

There have been three major ransomware attacks this year, executed on a global scale and costing businesses around the world millions. In each case, the threat was different, so patches for the first, WannaCry, couldn’t prevent the arrival of the second, NotPetya and the latest, Bad Rabbit, arrives not via email but under the guise of an Adobe Update Installer. Given the ingenuity and determination of hackers, it may feel like keeping up and keeping your organisation safe from malware is an impossible task and it may be worth paying the ransom if the worst ever happens. However, there are many downsides to this approach, not least that you could be breaking the law.

The UK does not prevent paying of a ransom; the legal system acknowledges this should be a matter of personal conscience and responsibility and takes the safety and vulnerability of what is being ransomed into account. If, then, you pay a ransom to keep your business running and keep several people in their jobs, this would not be breaking the law. However, the payments may not be covered by your insurance and as an added wrinkle, there is no guarantee that paying the ransom will release your systems from the hackers’ stranglehold.

In addition, there are very strict rules about the funding of terrorism. Paying a ransom may constitute providing funds to terrorists and the punishments for this are severe. The phrase in the legislation is that someone making a payment when he or she “knows or has reasonable cause to suspect that it will or may be used for the purposes of terrorism” will be breaking the law. Any payments would additionally not be covered by insurance. Cyber terrorism can cover a lot of ground, and will include any politically or ideologically motivated attack. It’s hard to know for sure, in many instances the motivation may simply be money but that’s hard to assess. Any attack on a public organisation such as the NHS or the German transport system may be construed as terrorism even if the organisation behind the attack is not exposed, or an explicitly terrorist organisation doesn’t claim it.

Of course, the major problem with ransomware attacks is that the malware sets the clock ticking. This is why many people panic and pay the ransom, but it’s worth taking the legality into account. There could be much worse ahead for the business if it is found to have been funding terrorism, even under duress, and it is likely to be a target for future extortion once the hackers know that the company is willing to pay.

As mentioned, it’s also worth checking your insurance policy; there is likely to be a requirement to prove that the threat is genuine, is not linked to a terrorist organisation and that prior to payment, the company had taken suitable precautions to prevent the attack. In some cases, the insurer may demand that the business call the police, which may make the attack public; if the plan was to pay the ransom to keep the problem under wraps, this is something else to take into account.

This is a lot to think about while the clock is ticking on the ransom demand. That’s why you have to plan ahead – the best approach is to install security protocols to prevent as many attacks as possible, train your team to avoid clicking on anything from a suspicious source and have a disaster recovery strategy in place. That way, if the worst happens, you don’t have to pay the ransom and address all those concerns about whether you’re funding terrorism, whether your insurer will cover the payments or whether you’ve just invited future attacks for more ransom demands. Taking steps ahead of time can make your organisation more secure and more prepared in the event of attack.

Get the latest updates from Green Co