The legal consequences of ransomware payments

The legal consequences of paying or not paying for ransomware hang like a dark shadow over the business, especially as these attacks become more common and sophisticated. Ransomware continues to be the biggest threat to SMEs and large companies operating in healthcare, retail, manufacturing and other vital sectors, according to Acronis Cyberthreats Report 2022.

About 37% of global companies say they will fall victim to a ransomware attack by 2021. Many researchers believe that this percentage is actually higher because only a small proportion of ransomware attacks are detected. It is not easy for companies to keep a sufficient overview of all threats and to adequately protect themselves against the tidal wave of cyber attacks, partly because new ransomware methods are constantly being developed, such as Ransomware-as-a-Service (RaaS) and the subgenre which is known as Initial Access Brokers (IAB).

These subscription-based models are very popular among the various types of ransomware attacks (which take their name from the group or gang that performs the attacks). For example, such a subscription model could sell ransomware tools and infiltrated corporate resources to cyber thieves and gangs.

We are also seeing an increase in cloud-based ransomware as cybercriminals also target the Software-as-a-Service (SaaS) market. Attackers block their victims’ devices or SaaS data to force them to pay a ransom. Some of these gangs are simply customers of major cloud providers and create their own infrastructure to easily distribute malware. US companies top the list of targets for all cybercriminals and groups, regardless of ransomware type / group / type.

Meanwhile, small and medium-sized enterprises are also increasingly coming under fire. In this segment, the losses range from just under $ 70 to as much as $ 1.2 million. In 95% of cases, the average ransomware-related price is $ 11,150. The reports do not all come to the same conclusion when it comes to the number of ransomware attacks committed on SMEs and large companies (sometimes even cited as three out of five). Security researchers agree that the number of attacks will increase in the coming years.

No sector escapes the dance. Ransomware attacks affect education, healthcare, retail, technology, manufacturing, utilities and financial institutions. The threat of a ransomware attack hangs like a dark shadow over any company and organization. They must decide for themselves whether it is wise to pay the ransom or not.

To pay or not to pay?

The first priority for any business, of course, is to prevent a ransomware attack with proactive measures. But even then, it is important to decide whether a ransom should be paid or not. Security experts generally advise against paying. This advice is based on a number of good reasons. For example, few companies actually succeed in recovering the stolen data. There is also no guarantee that the received encryption codes will work properly. Moreover, a payment only motivates cybercriminals to continue blackmailing and developing new ransomware.

Legal consequences

Governments have taken a common stance against paying ransomware and have put it in a legal framework. The Office of Foreign Assets Control (OFAC) of the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN) have ruled that paying ransom is illegal in most cases.

The EU has a similar approach when it comes to “essential services”, a category that has recently been extended to a number of new sectors. EU Member States may impose fines on companies or organizations that pay a ransom under the Network and Information Security Directive (NIB Directive).

Whether negotiations with cybercriminals have become the norm depends on a number of factors that affect who, what, where and why the ransomware attack. Sometimes it is helpful to take some time so that the company’s security experts or providers can write a decryption. An attempt may also be made during this time to identify the ransomware attacker or group.

So far, no criminal charges have been filed against companies or organizations that have paid ransom to ransomware attackers. But of course the loss of very confidential information has consequences in relation to ethics, brand reputation and market position, for example:

Sanctions for leakage of personal health data (PHI in relation to HIPAA), financial data (in relation to the payment card industry) and personal data (PII).

Serious undermining of confidence in a fire.

Negative effects on service agreements, market position, valuation and investor confidence that can be financially catastrophic.

No guarantee

It is important that there is no guarantee whatsoever that payment of a ransom will provide a working decryption key or that data can actually be recovered. Payment can also lead to the same or other attackers deciding to try again.

Security experts agree that it is better not to pay, but it is always a good idea to ask a security expert about the best approach in any given situation. Based on this, a company can make a plan for any necessary changes in security and prepare for possible consequences for the company.

Economic and market consequences

The U.S. Congress has ruled that companies critical of U.S. national interests are required to report hacking or ransom payments. But every business is different and must meet different legal requirements. This means that each company must also make its own considerations on whether or not to pay the ransom.

JBS Foods, the world’s largest meat supplier, paid $ 11 million in bitcoins after hackers managed to shut down some of their meat processing plants. According to the director, the company decided to pay to prevent future attacks that would have a huge impact on restaurants, supermarkets, farms and its own meat processing plants.

Colonial Pipeline paid the cybercrime group DarkSide $ 4.4 million in 2021 to prevent nearly 100 GB of data from being revealed. The hack caused massive shortages on the US East Coast. And all because of a stolen password.

Other companies chose not to pay because they had backups of data ready and prepared using other methods:

Sports equipment manufacturer Puma fell victim to a ransomware attack in January 2022 in which data from around 6,632 employees was stolen. This resulted in the payments being made weeks late.

Microchip maker NVIDIA was hit by a ransomware attack in February 2022. The attackers threatened to release 1 TB of employee login information and confidential company information (including source codes).

Global tire manufacturer Bridgestone discovered in February 2022 that the LockBit ransomware gang had managed to infiltrate their systems. Despite all efforts, the company was forced to stop production for an entire week.

Law firms are also increasingly affected by ransomware attacks, but have differing views on whether or not to pay a ransom. In February 2021, a ransomware attack was carried out on a well-known law firm with dozens of large clients in the financial sector. The office said social security numbers, biometrics and health insurance information may have been stolen. The National Law Review does not recommend paying for the reasons that almost everyone is listed in this blog.

Paying or not paying ransom comes with several operational, legal, financial and fire-related consequences. In this blog, we have listed some of the most important implications for you. We recommend that all companies proactively prepare to stop ransomware and develop a strategic plan for the aftermath of an attack. Preventing or responding to a ransomware attack requires a good understanding of the technical challenges involved.

Technical challenges of a ransomware attack

Companies of all sizes face a number of technical challenges when trying to prevent or respond to ransomware attacks in the best possible way. Many companies perform poor backups, end-to-end tool deployments, patch updates, and other important tasks. But protecting business data requires an integrated approach to cybersecurity.

Every business, whether it has one, a hundred or a thousand employees – should make cybersecurity training and best practices a part of their corporate culture. It all starts with a good understanding of the different needs for cyber resilience and cyber security. Cyber ​​resilience is the degree to which a business can withstand cyber threats; Cybersecurity refers to the critical IT tools needed to achieve this goal.

A proactive approach to infiltrating ransomware and malware

Cyber ​​attacks are becoming more sophisticated and require a holistic (physical, targeted and multifaceted) approach to cyber security and cyber resilience. For example, integrated backup and security solutions are an important part of the 3-2-1 rule for storing data in a remote location.

Acronis Cyber ​​Protect offers a hands-on, proactive approach to combating ransomware to help businesses achieve the cyber resilience they need. It is the only solution with built-in integration of cybersecurity, data protection and management to secure endpoints, systems and data. Thanks to this versatile and holistic approach to cyber security, both SMEs and large companies can proactively prepare with Acronis CyberProtect to stop attacks both now and in the future. Try it for free for 30 days!

The goal is to gather company-specific insights into the legal implications of whether to pay ransom to ransomware attackers. An enterprise can then develop the appropriate technical and social “cyber-resilient” skills that play a crucial role in protecting enterprise data.

Acronis does not provide legal advice on ransomware in this article and recommends that any company consult a legal advisor who specializes in this area. This ensures that you have mapped out the best options before you actually have to decide if you want to pay ransom to ransomware attackers.

Leave a Comment