The legal profession has been urged to stop advising clients to pay ransomware demands in a joint letter issued today by the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).
The open letter asked the Law Society to remind its members that they should not advise clients to pay ransomware demands when they fall victim to a cyber-attack. It emphasized that paying ransoms does not reduce the risk of future attacks on individuals or even guarantee the decryption of networks or return of stolen data. In addition, paying ransomware groups “will not reduce any penalties incurred through ICO enforcement action.”
The NCSC and ICO also urged lawyers to consider the broader damage caused by paying ransomware demands, as it incentivizes further cyber-attacks by malicious actors. They observed that the annual cost of cybercrime is estimated to be in the billions, with the actual cost much higher as this does not factor in the cost to businesses.
Instead, the letter reminded the Law Society that it is a regulatory requirement for a ransomware incident to be reported to the ICO if people are put at high risk. In addition, the NCSC can provide support and incident response to mitigate harm following a report. It will also work with victim organizations to help them learn lessons from the attack and ensure they have taken steps to protect themselves from similar incidents.
It added that the ICO “will recognize mitigation of risk is where organizations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Law Enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.”
The ICO also noted that victim organizations should be referred to their updated ransomware guidance page, which sets out the steps that should be taken in the event a ransom demand is issued.
NCSC CEO Lindy Cameron commented: “Ransomware remains the biggest online threat to the UK and we are clear that organizations should not pay ransom demands.
“Unfortunately, we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cybersecurity is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”
John Edwards, UK Information Commissioner, added: “Engaging with cyber-criminals and paying ransoms only incentivizes other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance and good cyber hygiene, including keeping appropriate backup files and proper staff training to identify and stop attacks. Organizations will get more credit from those arrangements than by paying off the criminals.
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognize in our response should the worst happen.”