UK and US Governments crack down on ransomware criminals

Handling ransom demands (and whether it possible and/or desirable to pay) is one of the most critical aspects of managing a cyber attack. This involves considering the applicable, and evolving, sanctions position, among other risks. Last week, the UK and US Governments took a further step forward in this regard, sanctioning seven Russian cyber criminals. Making funds available to them, for example by paying a ransomware demand in crypto assets, becomes an offence under these sanctions. 

The direct sanctions for these individuals aim to disrupt and reduce the profitability of ransomware for this group of threat actors who have been identified as causing the highest harm to the UK. They also mark the start of a campaign of coordinated action against ransomware actors being led by the UK and US.

The ransomware threat

Ransomware is a tier 1 national security threat and the “most acute cyber threat facing the UK” according to Lindy Cameron, the CEO of the UK’s National Cyber Security Centre (NCSC). Despite the infamous Conti group disbanding last year, the risk remains high, with many former members suspected of being involved in some of the most notorious new strains of ransomware that are currently threatening UK security. 149 British victims of ransomware known as Conti and Ryuk were, for example, recently identified by the National Crime Agency (NCA), and millions of pounds have been paid to the threat actors.

What can you do?

As well as reminding organisations to take immediate steps to limit their cyber risks by following NCSC advice, the NCSC is also asking victims of ransomware attacks to use the UK Government’s Cyber Incident Signposting Site.

In addition, the UK’s Office of Financial Sanctions Implementation (OFSI) has published new public guidance which sets out the implications of these new sanctions in ransomware cases. Amongst other things, this guidance: 

• reminds organisations that breaches of financial sanctions are a serious criminal offence - they can carry a custodial sentence and/or monetary penalty; 
• sets out “mitigating steps” (things like carrying out due diligence) which, if taken, would mean the OFSI and NCA would be “more likely to resolve a breach case involving a ransomware payment through means other than a monetary penalty or a criminal investigation"; and 
• makes it clear that a licence to pay a ransom to a sanctioned person is unliklely to be granted.

Comment

Jonathan Cotton, a Partner in Slaughter and May’s Cyber Hub and Co-Head of Global Investigations, said “[t]he room for manoeuvre for companies when facing a ransomware attack has just got narrower and may get narrower still in coming months”. It is therefore vital to stay on top of developments around cyber sanctions.  

However, while the sanction risk is particularly pertinent at present, it is still important to consider a whole range of issues when deciding whether or not to pay a ransomware demand. Regulators such as the ICO have made their views clear on the risks around payment and what steps they expect organisations to take to mitigate the ransomware risk (see for example our previous blogs on the ICO’s ransomware guidance and its ransomware advice letter to the Law Society) and organisations will need to consider all relevant factors on a case by case basis. This is, however, a much easier process where ransomware is specifically considered a part of cyber preparedness plans and simulation exercises.