Last month saw BCLP host a high profile data breach seminar, in which industry specialists, the ICO’s Head of Investigations, a former convicted hacker and BCLP’s data breach team came together to discuss issues that arise when firms are hit by a data breach in the current enforcement climate. During the seminar we asked our audience, made up of Execs, CISOs, DPOs, lawyers and other professionals, a number of questions about their own approach to data breaches. Over the coming weeks we will be discussing some of the notable points that arose out of the answers to those questions.
One of the key discussions was around whether you should interact with a hacker who invites contact after successfully penetrating your company’s systems – in fact, this is a usual feature of a ransomware attack, where the bad actor offers to decrypt the firm’s system in return for payment (typically in the form of a cryptocurrency). As you can see from the percentages below our audience was split, with a slight preference for not making any contact.
Q: Would you make contact with a hacker with a view to making payment?
42% say they would
58% stay they would not
These results reflect what was - until recently - the official line from the UK National Crime Agency (NCA), namely that firms should not engage with hackers and should not pay any ransom. However, this position appears to have softened. The guidance that previously advised firms not to pay seems to have been removed from the NCA’s website and the NCA’s page on ransomware links to a NCSC page which states “It is a matter for the victim whether to pay the ransom”.
The willingness of firms to engage with the criminal will often, unsurprisingly, depend on the extent to which the cyber attack has disrupted their business operations – has a ransomware attack locked down the entire network, or is the infection more localised? Have servers been affected in a number of jurisdictions? Other considerations are the degree and nature of the immediate impact on third parties and/or customers – what risk and potential liability is the impacted firm building up vis a vis third parties? Note also that some ransomware starts to delete files if a payment is not made by a specified deadline, compounding the time critical nature of the situation.
If there are backups available that have been properly segregated and can restore the system to a reasonable state then firms may wish to go down that route instead of effectively giving in to blackmail. However, from a technical point of view, restoring systems from backups is not always easy or cheap, particularly if that restoration process has not been regularly tested. And the backup route is not always free from risk; sophisticated hackers can adapt malware to cause secondary infection once the backup process is complete. Business continuity planning – and testing - forms a key component of cyber incident management. A further obvious consideration is that – as well as being morally abhorrent – there is no guarantee that paying the ransom will lead to the promised outcome. Although in our experience payment of the ransom does lead to release of the data, there are accounts of blackmailers who do not (or are not technically competent enough to) decrypt your system, even if you pay the ransom.
If firms do decide to engage with a hacker, they should make sure that the process and the reasoning which results in this decision is clearly documented. Despite the NCA’s apparent softening on the issue of payments, regulators and enforcement agencies may still require an explanation from firms. Indeed, in the financial services sector, the FCA’s own guidance still refers to the NCA’s previous guidance that firms should not pay money in the event of a ransomware attack. The ICO does not have an express policy on ransomware payments but was critical of payments made by Uber to extortionists under its bug bounty programme. A documented decision making process will be invaluable if a regulator starts querying why any payment was made.
On a technical note – firms should be careful when using backups to restore the system, if there is any malicious software still in the system then you may find your backups, which were previously isolated from the attack, become corrupted. Your business continuity planning should take account of this possibility.