Part Two – Should you make a ransom payment? Is it legal?
This article forms part of a three part series in the wake of the recent Garmin ransomware attack which explores what this experience tells us about the future landscape of the crime and the possible legal issues facing victims.
Last week, we looked at what we know about what went on in the Garmin ransomware attack and considered what Garmin’s selection as a target tells us about possible future attacks.
This week, we consider the fact that Garmin reportedly paid the ransom that was demanded and look at the legality of ransom payments.
What can we learn from the fact that Garmin reportedly paid the ransom?
Media reports suggests that Garmin may have paid the demanded ransom and may have done so through a ransomware negotiation intermediary. Some commentators have expressed surprise at the move. Payment comes with the inherent risk that you identify yourself as a “known payer” and open yourself up to future attacks as a result. There is also obviously no guarantee that payment of the ransom will result in the return of the encrypted data, albeit a recent report from the British security software firm Sophos Group plc found that only 1% of businesses who paid a ransom did not get their data back.[1]
Every situation is unique and there is no easy answer to the question of whether or not a ransom should be paid, and there is never going to be a one-size-fits all solution to a ransomware attack.
In many cases, the type or ransomware used will rely on encryption that will remain unbreakable without the decryption key. The victim is left with a choice of paying the ransom or losing the data – no private cybersecurity company nor law enforcement agency can help with the recovery of the data.
When an attack leaves a company unable to service its most important asset, its customers, payment may be preferable to losing those customers’ trust and ultimately business. For many businesses, the potential legal ramifications of losing control of their customers’ data may also outweigh the price of a ransom.
Is it legal to pay a ransom?
Separate to the question of whether a victim should pay the ransom is whether they legally can. Again, there is no single answer on the issue of legality and the answer may depend on who exactly you are paying.
Wastedlocker – the ransomware thought to have been used in the attack on Garmin – is associated with Evil Corp which last year was sanctioned by the US Treasury Department for its alleged responsibility in stealing hundreds of millions through ransomware attacks on financial institutions over the past decade. Those sanctions mean it may be illegal for a US based company to directly pay a ransom, hence the rumour that Garmin used a third party to facilitate payment. Things are further complicated by the fact that Evil Corp may not have itself targeted Garmin, with ‘ransom-for-hire’ services being relatively common. If it is not possible to definitively link a sanctioned actor to a particular attack, sanctions may prove to be entirely ineffective at preventing ransoms from being paid to criminal groups.
The payment of ransoms is not prohibited under English law, as the Court of Appeal reaffirmed when it considered the position of ship owners who paid a ransom to pirates to secure the release of their vessel, cargo and crew in Masefield AG v Amlin Corporate Member Ltd, The Bunga Melati Dua [2011] EWCA Civ 24. Lord Justice Rix confirmed that there was no general public policy argument against the payment of ransoms, noted that pirates are not classified as terrorists, and the public policy position when dealing with terrorist actors may well be different. Indeed, payment of a ransom by an English entity may be an offence under the Terrorism Act 2000 if the payer knows or has reasonable cause to suspect that the money will or may be used for the purposes of terrorism.
Subject to what is known about the identity of the attacker, whether or not to pay a ransom may end up being a surprisingly practical consideration, as opposed to a legal one, with the cost-benefit analysis of doing so being a matter for each business.
In the final article of the series, we consider what other legal issues a victim of a ransomware attack might face in the aftermath of an attack.
This series is intended as a whistle-stop tour of common issues only. If further information on any of these matters would be useful, please get in contact.
[1] https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf