Cyber Attack - should you pay the ransom?
In some instances, it's unlawful to pay
The increase in cyber-attacks has been notable over the past decade. Threat actors have become more sophisticated in their strategies and execution of attacks. We are seeing an increasing trend for an organisation's data to be encrypted and held to ransom for financial gain. These attacks are common and, in many cases, avoidable with appropriate infrastructure and security protocols.
But. what do you do when an attack slips through, and a threat actor gains access to your IT environment?
Naturally, there are many conflicting opinions about whether a person or organisation subject to a cyber-attack should succumb to the demands of these criminals and pay the ransom in order to retrieve and "secure" their lost data.
Let's talk ransom payment .
The starting point in Australia = don't do it!
The Australia Cyber Security Centre (ACSC) recommends never paying a ransom due to the lack of guarantee that access will be restored, or that data will not be leaked or sold in any event.1
Refusing to pay a ransom and choosing to invest in shoring up cyber defences may also be better for organisations in the long-run, despite the "crisis tax", which is the additional costs of shoring up these defences in the midst of an emergency situation.
However, organisations that provide critical infrastructure or essential services may have little or no time to consider restoring services and paying a ransom can feel unavoidable.
Some also believe that by agreeing to pay the ransom, and subsequently being provided with a decryption key, it can help organisations better understand the elements of the attack and assist in their subsequent preventative or firming up actions.2
As cyber insurance policies become a more regular feature in an organisation's risk management toolkit, it is similarly crucial to consider whether a proposed ransom payment is covered under any such policy. When faced with a cyber-attack, it is vital to involve cyber incident management experts early and before any significant decisions are made, by way of ensuring that policy conditions are met and coverage considerations can be addressed to include legality.
Digital Pirates - the scourge of the new age
The most significant consideration is the impact of the compromised data and the extent to which it moves beyond just the victim organisation. When viewing the analogous situation of pirates holding a ship, including its crew and cargo, to ransom, the payment of such is a timely decision and, in some cases, may be the only option for an owner to regain possession of their vessel, cargo, and crew in a safe manner. This same argument can be presented for the payment of a cyber ransom.
The differentiating factors relate to the degree of affect. And this neatly falls into the exclusionary clauses within the Criminal Code to ensure the exhaustion of all other counteractions and responses to the attack. This is where cyber legal experts play an important role in providing you with expert, timely advice to assist you in making informed decisions.
The legalities around paying ransoms in Australia
In Australia, it is unlawful to pay ransoms3 to a terrorist organisation4 or an organisation listed by a UN sanction.5 However, broadly speaking, there is a defence of duress available for affected parties. They need to be able to prove:
- There is no reasonable way that the threat can be rendered ineffective; and,
- The conduct is a reasonable response to the threat.6
Where organisations have backups available or restoration could be achieved through other investigative or remediation measures, it would be hard to prove point 1 above. This is true, even where the effort to do so is onerous or expensive.
The "reasonable response" requirement of the second point may be more difficult to prove. The balance of reasonability between a company wanting to protect any commercial information, compared with a person wanting to save a family member.
There may also be a future obligation for victims of ransomware attacks who have paid the ransom to report the same to ACSC.7
On balance, an organisation should consider consulting legal practitioners with cyber expertise with a view to carefully considering the full extent of the impact to their organisation and what steps must be taken prior to the payment of a ransom to avoid it being considered unlawful. Gaining comprehensive legal advice in line with industry standards and the law is essential, along with obtaining advice regarding the potential cover available to you under an applicable cyber policy.
Should I pay?
After systems have been compromised, whether or not to pay a ransom is a serious decision. Paying a ransom might fall into the classification of "criminal activity". On the other hand, getting data returned might be the only viable solution for your business.
The point is, paying a ransom is a consideration that is specific to each unique scenario. There's no one-size-fits-all answer. But what is absolutely essential, is to involve experts and not make that decision in isolation of cyber incident response experts.
Footnotes:
1 https://www.cyber.gov.au/ransomware/what-to-do
3 Criminal Code Act 1995 (Cwth) s 102.1(a), 102.7, 103.2(1); Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth); Charter of the United Nations Act 1945 which provides the domestic legislative backing to the UN sanctions framework, most pertinently the International Convention for the Suppression of the Financing of Terrorism on 9 December 1999 (resolution 54/109)
4 Criminal Code Regulations (2002) Cwth
5 Australian Government, Department of Foreign Affairs and Trade: UN Sanctions prohibited organisations list.
sup>6 Criminal Code Act 1995 (Cwth), s 10.2
7 Ransomware discussion paper, Labour Nationals, February 2021, https://www.timwatts.net.au/media/187357/beyond-the-blame-game-ransomware-discussion-paper.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
