The legal implications of paying ransomware demands: The evolving state of ransomware

Acronis
Acronis Cyber Protect
formerly Acronis Cyber Backup

The legal implications of paying or not paying ransomware demands hover like a specter over businesses as attacks become more prevalent and sophisticated. Ransomware remains the top threat to SMBs and enterprises across healthcare, retail, manufacturing, and other vital sectors, according to the Acronis Cyberthreats Report 2022.

Some 37% of global companies reported falling victim to a ransomware attack in 2021; and many researchers see that number as low, since only a small percent of ransomware attacks are actually reported. Today’s businesses must understand and guard against a plethora of cyberattacks where insidious ransomware methods evolve fast, such as ransomware as a service (RaaS) and its sub-genre known as initial access brokers (IAB).

These subscription-based models are highly prevalent among the different types of ransomware, which are always identified by the groups or gangs that run them. They involve the sale of infiltrated corporate resources and ransomware tools to cyberthieves and gangs.

Even cloud-based ransomware is growing in prevalence with cybercriminals targeting software as a service (SaaS). Attackers target and lock business out of their devices or SaaS data to extract a ransom payment. Some of these gangs are now buying directly from major cloud providers to set up their own infrastructure to easily distribute malware. U.S.-based companies top the list as targets of all cybercriminals and groups regardless of ransomware type/group/strain.

There is a growing emphasis on SMBs, where losses range from a low of $70 to a high of $1.2 million. However, 95% of the cases have median ransomware-related costs of $11,150. While reports vary as to the number of ransomware attacks on SMBs and enterprises, numbers range as high as three in five, with security researchers all foreseeing an increase in coming years.

No sector goes unscathed, with reported ransomware attacks in education, healthcare, and retail to technology, manufacturing, utilities, and finance among others. As the likelihood of a ransomware attack overshadows every business and organization, each must grapple with whether to pay or not pay.

To pay or not to pay?

First, it’s vital to state that every business’ goal is to proactively avert a ransomware attack. But that doesn’t mean it’s not equally important to have a position on paying or not paying. Security experts across the board advise against paying. This recommendation is due to the low number of successes in retrieving stolen data, the lack of assurance that encryption keys will indeed work, and most importantly, the fact that this only motivates cybercriminals to continue to commit extortion and to develop ransomware.

Legal implications

Governments have taken a unified stand on not paying ransomware, backed by laws. A 2020 ruling by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) states most cases of paying a ransom are illegal.

The EU has taken a similar path when it comes to what are deemed “essential services,” which they have recently expanded. EU member states can impose fines for paying ransoms under the Security of Network and Information Systems Directive (NIS Directive).

The question of whether negotiating with cybercriminals has become the norm is dependent on many factors around the who, what, where, and why involving the ransomware attack. Some of these factors revolve around the need for the business and their security experts or providers needing time to determine if they can write a decryptor. They will also want to take the time to try to determine the identity of the ransomware attacker or group.

There seems to be no precedential case involving prosecution of an entity for paying ransomware attackers. However, there is precedent where ethical, brand and market implications of the loss of highly confidential information have led to:

●      Regulatory fines for personal health information (PHI related to HIPAA), financial data and Payment Card Industry (PCI), and Personally Identifiable Information (PII)

●      Severe implications for a brand’s perceived trustworthiness

●      Negative impact on service agreements, market position, valuation, and investor confidence in ways that can be financially catastrophic

Equally important is the reality that there is no guarantee payment will result in a working decryption key algorithm or that the data will be retrievable. Paying can also mean that the attacker (or other attackers) will return.

While the consensus among security experts is not to pay, it’s always best to consult with security professionals to determine the best approach. This enables the business to plan for any necessary security changes and potential business ramifications.

Financial and market implications

Companies critical to U.S. national interest are now required to report they have been hacked or have paid ransom, according to a congressional ruling. But for every company, the legalities and approach to paying or not paying ransomware varies.

JBS Foods, the world’s largest meat supplier, paid hackers $11 million in bitcoin after an attack temporarily knocked out several of its plants. The company’s chief executive said they paid to prevent future attacks that could impact restaurants, grocery stores, farmers, and its own meat plants.

In 2021, Colonial Pipeline paid the DarkSide cybercrime group a $4.4 million ransom to stop the release of nearly 100 GB of data. The hack resulted in major shortages across the East Coast because of a single compromised password.

Others companies chose not to pay due to data backups and other methods:

●      Sports manufacturer Puma saw a ransomware attack breach in January 2022 resulting in the theft of information for over 6,632 employees, resulting in weeks of late payments.

●      Microchip manufacturer Nvidia ransomware attack in February of 2022 threatened the release of 1TB of employee credentials and proprietary company data, including source codes.

●      Global tire manufacturer Bridgestone detected a security breach in February 2022 by the LockBit ransomware gang. Despite their efforts, the company was forced to stop production for an entire week.

Law firms too have seen an increase in ransomware attacks, with different takes within the field on whether or not to pay. Just one example was the February 2021 ransomware attack on a major law firm with dozens of important economic sector clients. The result was possible leaks of Social Security numbers, biometric data, health insurance information. The National Law Review discourages payment based on many of the reasons cited here.

The aftermath of paying or not paying ransom has countless operational, legal, financial, and brand implications. This blog has addressed some of the most prevalent in each category. The best approach is that all businesses must proactively prepare to stop ransomware and have a clear plan for the aftermath of an attack. This requires an understanding of the technical challenges of thwarting or responding to a ransomware attack.

Technical challenges of a ransomware attack

Businesses of all sizes face technical challenges in how best to thwart or respond to ransomware attacks. A low percentage of backups, end-to-end tool implementations, patch updates, and other factors show the importance of an integrated cybersecurity approach in keeping business data safe.

Every business — whether it has one, hundreds, or thousands of employees — must make cybersecurity education and best practices part of their culture. This starts with an understanding of the different needs of cyber resilience and cybersecurity. While the first is about the company’s ability to protect against cyberthreats, the second is providing the crucial tools IT needs to make it a reality.

A proactive approach to ransomware and malware infiltration

As cyberattacks grow more sophisticated, this requires a holistic approach to cybersecurity and cyber resilience in tangible, targeted, and comprehensive ways. This includes integrated backup and security solutions as part of a 3-2-1 rule for storing data in a remote location.

As a practical, proactive approach to ransomware attacks, Acronis Cyber Protect helps businesses achieve that cyber resilience. It is the only solution that natively integrates cybersecurity, data protection, and management to protect endpoints, systems, and data. This comprehensive and holistic approach to cybersecurity with Acronis Cyber Protect helps SMBs to enterprises proactively prepare to stop attacks today and in the future. Try it free for 30 days!

The goal is to gather business-specific insights on the legal implications of paying or not paying ransomware demands. Every business can then learn how hard and soft cyber-resilient skills play a crucial role in keeping business data safe.

It’s important to state that Acronis is not offering legal advice regarding ransomware via this article and encourages every company to consult appropriate legal counsel. This will provide the best options before ending up in the position of having to decide whether or not to pay ransomware demands.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

More from Acronis