Share this article on:
The UK’s National Cyber Security Centre (NCSC) is urging business owners to “stop paying ransoms to cyber hacking gangs”, as it can lead to “incentivising” more attacks due to criminal demands being met.
UK government security and data chiefs have urged businesses to "stop rewarding criminal gangs of cyber hackers by paying ransoms", in an unprecedented industry alert.
The move follows a sharp rise in ransomware attacks in which gangs embed malware in a firm’s IT systems encrypting their data. They then demand a ransom for the decryption key or return of the information if they have extracted and stolen it.
According to The Telegraph, the head of the UK's NCSC and Information Commissioner warned businesses that they risk "incentivising" further damaging attacks by "malicious" actors by meeting their ransom demands. In a letter seen by the UK paper, John Edwards, the commissioner, and Lindy Cameron, the NCSC's chief executive, were "alarmed at the increase in recent months of such attacks", with significant sums of ransom money being paid by firms.
"The trend appeared to be based on a mistaken belief by the companies' legal advisers that paying a ransom could protect the stolen data or result in a lower penalty from the Information Commissioner for the data breach," the NCSC commissioner and chief executive stated in the correspondence.
Cyber crime has cost the UK billions of pounds according to Edwards, and paying ransoms "doesn’t accord with my view of the law" but was also "contrary to the public interest".
"It is very much going against my expectations of best practice and will simply prop up the ransomware business model and reward those people.
"Why on earth would you believe that these criminals who have just hacked and locked your system and stolen your data would honour a commitment to return it and not retain a copy or deposit it somewhere on the dark web?" Edwards told The Telegraph in an interview.
Edwards added that typically, off-the-shelf hacking equipment could be used to encrypt and lock companies' systems before they received a message or email demanding payment to have their files unlocked.
In some cases, the data was stolen and dumped on the dark web with the victim sent a link to it "as a means of effecting leverage", Edwards continued.
The correspondence has been sent to the UK Law Society according to The Telegraph.
If companies fall victim to a ransomware attack, they could be required by law to report it.
The NCSC would provide support to mitigate the damage and learn lessons from the hack.
Although the payments were not unlawful, "law enforcement does not encourage, endorse nor condone the payment of ransoms", Edwards and Cameron outlined.
"Payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data," they added.
It would also not reduce the penalties companies faced if it was found they were to blame for the hack.
The NCSC commissioner has powers to fine firms up to 4 per cent of their global turnover. In order “for the avoidance of doubt”, the commissioner would not consider ransom payments to criminals as "mitigating the risk to individuals".
According to a report by Verizon on data hacks, ransomware attacks account for about one in 10 of all data breaches worldwide and has doubled in frequency last year with more than a third of global companies saying they had been a victim of a ransomware attack in 2021.
[Related: North Korean hackers targeting health services sector]