Paying ransomware demands has legal ramifications: Ransomware's Changing State
The Most Boring Article About Ransomware Demand You'll Ever Read
Table of contents
The legal ramifications of paying or refusing to pay ransomware demands loom over organizations like a specter as assaults become more common and sophisticated. According to the Acronis Cyberthreats Report 2022, ransomware remains the #1 threat to SMBs and organizations across healthcare, retail, manufacturing, and other critical industries.
In 2021, 37% of worldwide organizations reported being victims of a ransomware attack, which many academics believe is low because only a tiny percentage of ransomware assaults are recorded. Today's enterprises must understand and protect themselves against a slew of assaults, including ransomware as a service (RaaS) and its sub-genre known as initial access brokers (IAB).
These subscription-based approaches are quite common among the many varieties of ransomware, which are always recognizable by the groups or gangs who administer them. They entail the sale of compromised corporate resources and ransomware tools to cybercriminals and gangs.
Cloud-based ransomware is also becoming more common, with attackers targeting software as a service (SaaS). Attackers target businesses and lock them out of their devices or SaaS data in order to exact a ransom payment. Some of these gangs are already purchasing straight from big cloud providers in order to build up their own infrastructure for easy virus distribution. Companies located in the United States rank first among all cybercriminals and gangs, regardless of ransomware type/group/strain.
SMBs are receiving increased attention, with losses ranging from $70 to $1.2 million. However, the typical ransomware-related cost in 95% of the instances is $11,150. While figures differ on the amount of ransomware attacks on SMBs and corporations, estimates range as high as one in every five, with security experts all predicting an increase in the coming years.
There have been documented ransomware attacks in education, healthcare, and retail, as well as technology, manufacturing, utilities, and finance. As the threat of a ransomware assault looms over every business and organization, each must decide whether to pay or not pay.
Should I pay or should I not pay?
To begin, it is critical to explain that every business's purpose is to prevent a ransomware assault. But it doesn't mean having a viewpoint on paying or not paying isn't equally essential. Almost all security experts advise against paying. This proposal is based on the limited frequency of successful recoveries of stolen data, the lack of certainty that encryption keys would really function, and, most crucially, the fact that this just pushes hackers to conduct extortion and produce ransomware.
Governments have taken a uniform, legal stance against paying ransomware. According to a 2020 judgement by the United States Department of Treasury's Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN), most ransom payments are prohibited.
The EU has followed a similar route in terms of "essential services," which they have lately increased. Under the Security of Network and Information Systems Directive (NIS Directive), EU member states can levy fines for paying ransoms.
Negotiating with hackers has become the norm, but it is reliant on numerous elements around the who, what, where, and why of the ransomware assault. Some of these considerations center around the necessity for the company and its security experts or providers to have time to decide whether or not they can create a decryptor. They will also want to take the time to try to figure out who the ransomware attacker or group is.
There appears to be no precedence regarding the punishment of a company for paying ransomware attackers. There is precedence, however, where the ethical, brand, and market ramifications of the loss of highly private information have resulted in:
Personal health information (PHI linked to HIPAA), financial data, Payment Card Industry (PCI), and Personally Identifiable Information (PII) regulatory fines
Serious consequences for a brand's perceived trustworthiness
Negative impact on service agreements, market position, valuation, and investor trust in potentially financially disastrous ways
Equally crucial, there is no guarantee that payment will result in a workable decryption key algorithm or that the data will be retrievable. Paying may also imply that the assailant (or others) will return.
While security experts generally agree that it is not necessary to pay, it is always better to speak with security pros to establish the best method. This allows the company to plan for any essential security upgrades as well as any business repercussions.
Implications for finance and markets
According to a legislative resolution, companies essential to the national interest of the United States must now report being hacked or paying ransom. However, the legality and method of paying or not paying ransomware differ from organization to firm.
After an attack briefly took off many of its operations, JBS Foods, the world's largest beef supplier, paid hackers $11 million in bitcoin. The company's CEO stated that they paid to avoid further assaults on restaurants, grocery shops, farmers, and its own meat facilities.
Colonial Pipeline paid a $4.4 million ransom to the DarkSide cybercrime organization in 2021 to prevent the publication of approximately 100 GB of data. The hack resulted in major shortages across the East Coast because of a single compromised password.
Others choose not to pay because of data backups and other methods:
In January 2022, sportswear brand Puma had a ransomware assault breach that resulted in the loss of information for over 6,632 workers, resulting in weeks of late payments.
In February 2022, a ransomware assault by microchip maker Nvidia threatened the release of 1TB of employee passwords and sensitive corporate data, including source codes.
Bridgestone, a global tire producer, discovered a security vulnerability in February 2022 caused by the LockBit ransomware group. Despite its best efforts, the corporation was forced to halt manufacturing for a week.
Law firms have also observed an upsurge in ransomware assaults, with various perspectives on whether or not to pay. The February 2021 ransomware assault on a big law firm with hundreds of vital economic sector customers was only one example. As a result, Social Security numbers, biometric data, and health insurance information may have been compromised. Many of the arguments stated below lead the National Law Review to discourage payment.
The consequences of paying or refusing to pay ransom include several operational, legal, financial, and brand repercussions. This blog has covered some of the most common in each area. The ideal strategy is for all firms to proactively prepare for ransomware attacks and have a clear plan in place for the aftermath of an attack. This requires an understanding of the technical challenges of thwarting or responding to a ransomware attack.
The technical difficulties of a ransomware assault
Businesses of all sizes have technological obstacles in preventing or responding to ransomware attacks. The need of an integrated cybersecurity approach in keeping corporate data safe is demonstrated by a low percentage of backups, end-to-end tool installations, patch updates, and other considerations.
Every company, whether it has one, hundreds, or thousands of workers, must include cybersecurity education and best practices into its culture. This begins with an awareness of the various requirements for cyber resilience and cybersecurity. While the first is concerned with the company's capacity to guard against cyberthreats, the second is concerned with supplying the critical tools required by IT to make it a reality.
A proactive approach to the spread of ransomware and malware
As assaults become increasingly sophisticated, a holistic strategy to cybersecurity and cyber resilience that is concrete, targeted, and thorough is required. As part of a 3-2-1 rule for keeping data in a distant location, this includes integrated backup and security solutions.
CAL Defense, as a realistic, proactive solution to ransomware threats, assists organizations in achieving cyber resilience. It is the only solution that blends cybersecurity, data protection, and management to safeguard endpoints, systems, and data. Cyber Aeronautycs Ltd.'s comprehensive and holistic approach to cybersecurity assists SMBs and businesses in proactively preparing to stop threats today and in the future.
The purpose is to gather industry-specific information on the legal ramifications of paying or not paying ransomware demands. Every company may then learn how hard and soft cyber-resilient skills play an important role in protecting corporate data.
It is crucial to note that Cyber Aeronautycs Ltd. is not providing legal advice on ransomware through this blog and advises all businesses to seek competent legal counsel. This will give the finest alternatives before being forced to determine whether or not to pay ransomware demands.
Did you find this article valuable?
Support Cyber Aeronautycs Ltd. Blog by becoming a sponsor. Any amount is appreciated!