On 2 November 2023, the UK government announced that it and more than 40 countries had signed a Joint Statement strongly discouraging the payment of ransomware demands and pledging that central government funds should not be used to pay ransoms to cyber criminals. The statement, led by the UK and Singapore is said to be the first international statement of its kind.
What is the statement?
The statement was signed by members of the International Counter Ransomware Initiative (CRI), including the US, Singapore, most EU member states, as well as Interpol. According to the CRI, the statement is intended to send a clear message that the global community strongly opposes the payment of ransom demands, and provides that countries “would lead by example” by not making ransomware payments and “strongly discourage anyone” from doing so.
What was the UK’s previous stance towards ransomware payments?
The UK’s National Cyber Security Centre (NCSC) has always advised businesses and individuals not to make ransomware payments, and it has been a long-standing policy of the UK government not to meet the demands of ransomware criminals. The UK government has publicly confirmed that it has never made a ransomware payment.
“New norm” or status quo for the UK?
Security Minister Tom Tugendhat has commented that the pledge made under the statement is an “important step forward in [the UK’s] efforts to disrupt highly organised and sophisticated cyber criminals, and sets a new global norm that will help disrupt their business models and deter them from targeting [the UK]”.
Although the statement may send a globally aligned message discouraging the payment of ransomware demands, this is consistent with the existing approach of UK authorities such as the NCSC and the Information Commissioner’s Office (ICO), which already discourage such payments. There are also circumstances in which payment may be illegal (for example where payment is to a sanctioned entity).
This is not the first time there has been cross-jurisdictional discussions around ransomware payments. For example, the Ransomware Taskforce, a US-led team composed of governments, tech firms, cyber security experts and academics from around the world made recommendations on how to disrupt the ransomware supply chain back in 2021. Although the report recommended discouraging ransomware payments, it did not manage to reach a consensus on prohibiting them.
Will the statement change behaviours?
When a business is subject to a ransomware incident and finds its IT systems and data compromised, its board is forced to make extremely difficult and time-sensitive decisions, including but not limited to whether to pay a ransomware demand.
According to the Cyber Security Breaches Survey conducted by the Department for Science, Innovation & Technology in early 2023, only 57% of the 2,263 businesses which participated in the survey have a rule or policy to not make ransomware payments. Additionally, in May of this year, Forbes reported on a survey conducted by Veeam which found that 80% of surveyed organisations paid a ransom demand (either to end an ongoing cyber-attack or recover lost data), despite 41% of them having a “do not pay” policy in place.
It therefore remains to be seen whether the statement will actually deter businesses in the UK from making ransomware payments, particularly when the consequences of not doing so may appear to be catastrophic for the business in question. It does, however, underline the importance of specifically including ransomware response in any cyber preparedness plans and, if faced with a ransomware demand, conducting thorough and detailed due diligence, seeking specialist advice, and considering all legal, financial, reputational, practical and regulatory risks involved, before making such payment.