Charlie discusses the possible benefits of paying a cyber ransom and whether this is illegal.
I thought this week I would do a bit of research on a subject that has intrigued me for a while, which is the legality of paying cyber ransoms. In news articles about firms who have been a victim of ransomware, there is often speculation that they have paid the ransom but there is little hard evidence as organisations, on the whole, do not want to admit they have paid either company or public sector money to criminals. One of the sectors I have noticed which seems to have had a spate of ransomware attacks is the USA’s local government, and according to commentators, they often pay the ransom demanded. In this year’s Hiscox Cyber Readiness Report, 6% of the 5,569 firms polled, one in six of those attacked, had surrendered by paying a ransom following an attack and their combined losses came to $381 million.
What are the benefits of paying? In terms of cost benefit, at first glance they look huge. The ransomware attack on Maersk was reputed to have cost them $300m, while the BBC reported that the attack in 2019 on Norsk Hydro, a global aluminium producer, cost in the region of £45m. The ransom paid by the USA local government, Jackson Co., Georgia of $400,000 seems a fair price as the impact of ransomware can include, damage and destruction (or loss) of data, downtime, lost productivity, the cost of the carrying out the response and the reputational damage. Beazley, the specialist insurer, found that the average ransomware demand in 2018 was more than $116,000, but this was skewed by some very large demands. The median was $10,310. The highest demand received by a Beazley client was for $8.5 million. There is money to be made in ransomware attacks and a fairly low chance of getting caught.
As a brute force attack on the ransomware encryption usually doesn’t work, the only option organisations have is to rebuild their entire IT infrastructure and stock of laptops and desktops from back up, which is very expensive and causes increased downtime. Two weeks ago, we talked about doxing and ‘double extortion’ where the organisation in control of the ransomware tries to extort additional money from the attacked organisation by threatening to release sensitive files. Organisations could be faced with the additional impact of having the embarrassment of their files being published and available to all.
Of course there is also a downside to paying a ransom in that there is no guarantee that if the ransom is paid the attackers will produce the key, and secondly, the organisation can be put on a ‘suckers list’ where other criminal organisations will try a similar attack as they know the organisation pays up. This also increases the risk to the whole sector, as the more success hacker organisations have, the more others will try their luck with organisations within the sector.
Is it illegal to pay a ransom? I was reading a couple of articles from law firms on the subject. One of them, Cameron McKenna LLP, in their article ‘Cybercrime and ransom demands: is it a crime to pay?’ (PDF available here) said that there was no legislation in the UK that confirmed the paying of a ransom was a crime and the closest legislation they had was to go back to ‘The Ransom Act of 1782, which outlawed the payment of a ransom in respect of British ships taken by the King’s enemies or persons committing hostilities against the King’s subjects, was the only guiding piece of legislation on the legality of ransom payments. Since its repeal by section 1 of the Naval Prize Acts Repeal Act 1864, legislators in the UK’. There has been no further legislation on this issue. They also mentioned that The Benga Melati Dua case in 2011 (Masefield A.G. v. Amlin Corporate Member Limited  EWCA Civ 24), highlighted the issue. In his judgment, Lord Justice Rix commented ‘there is no evidence of [ransom] payments being illegal anywhere in the world. This is despite the realisation that the payment of ransom, whatever it might achieve … itself encourages … the purposes of exacting more ransom’.
Law firm, Pinsent Masons, in ‘Cyberattacks: due diligence essential prior to paying ransoms’ said that the only way organisations could be prosecuted under the UK’s Terrorism Act 2000 is if they knowingly paid ransoms to a recognised terrorist organisation or if they had violated the Proceeds of Crime Act, the Serious Crime Act or an asset-freezing regime. This was the same for insurance companies if they were involved in payments as well. They suggested that organisations should conduct due diligence before they paid, to ensure that they couldn’t be prosecuted under one of these acts. As most proprietors of ransomware extortions are faceless organisations and anonymous, it would be very difficult to prove that a crime had been committed.
The topic of paying ransoms rather reminded me of the 70s, when hijacking was very popular among liberation groups and criminals. Only once security screening was improved, and governments refused to negotiate and sent in the special forces, even at the risk of the hostages being killed, did the hijackings greatly reduce. Cybersecurity is improving which makes the attacks more difficult but I think only once government’s strongly legislate against the paying of ransoms, perhaps even with personal liability on those who paid the ransom, provided the money or authorised it, will these attacks then greatly reduce.