Ransomware incidents continue to be the most common cyber-related attacks against businesses. Ransomware is a type of malware that blocks access to a computer system (or threatens to release data) until or unless a sum of money is paid (often in Bitcoin).
When a ransomware attack strikes, it can have an immediate and debilitating effect on a business’s ability to operate. Without the decryption key, it can sometimes take many days or weeks to try to fix the system with back-ups (if they exist!) or other decryption services.
Generally, the advice from government agencies (with good reason) is not to pay a ransom. While in many cases it is ineffective, it also encourages the continuation of a growing global cyber criminal industry.
Nevertheless, under the pressure of mounting business interruption many companies are forced to consider the prospect of whether or not to pay the ransom.
This note sets out some of the key considerations, legal and other, that businesses should consider (subject to legal advice) when assessing whether or not to pay a ransom.
Is payment of a ransomware demand legal?
In Australia and globally the payment of ransomware demands is fairly common. However, as its name suggests, paying the demand is essentially paying a ransom. Whether or not it is legal to pay the ransom will depend on the jurisdiction and may not always be straight-forward.
The generally accepted position in Australia is that it is not illegal to pay a cyber ransom. There is no Australian law that explicitly prohibits payment of ransomware demands for decryption or access to locked data.
Nonetheless, the act of payment may have implications for a business in circumstances where the Criminal Code Act 1995 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) intersect on this issue.
For example, it is an offence under Australian law to intentionally make funds available to an organisation (whether directly or indirectly) if that organisation is a terrorist organisation and the offender knows, or is reckless as to whether, the organisation is a terrorist organisation.
Regard must also be had to the provisions of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). Pursuant to Part 2, Division 2, entities are required to report “suspicious matters” to the Australian Transaction Reports and Analysis Centre (AUSTRAC) when that entity has reasonable grounds for suspicion in relation to that matter. The ambit of “suspicious matters” is very broad and is taken to include matters that may be relevant to the investigation of offences relating to financing terrorism or money laundering.
Businesses are encouraged to approach the payment of ransomware demands with their ‘eyes wide open’. This may involve conducting searches into the entity claiming to be the Threat Actor and the ultimate destination of the ransom funds (if possible) or seeking expert legal and forensic advice on the issue. The Australian Signals Directorate (the government’s agency to coordinate cyber security issues) is also an important source of information about threats and has a voluntary reporting option.
In practice, due to the nature of ransomware demands it will be rare that there is sufficient information available to be able to complete any substantial level of due diligence on the Threat Actor. However, it is important to turn your mind to the potential risks and obtain appropriate advice.
It is worth noting each jurisdiction will have its own rules and laws. Some ransomware incidents may involve multi-jurisdictional issues.
The legality of ransomware payments is an evolving area. In addition to legal considerations, there are a number of practical and ethical considerations that businesses should have regard to before paying a ransomware demand.
Payment of ransomware demands can have mixed results. It is worth considering whether there are better alternatives.
- For example, is your business better off restoring from backups? This could depend on a number of factors including whether backups are encrypted, and the date of the most recent backup. While this can sometimes take slightly longer, it may be a better option in the long-run.
- If backups are not available, can you decrypt the files with brute force decryption?
In determining the above, businesses often have to weigh up the importance of documents and any resultant business interruption costs against the resources available to the business.
Weighing up the importance of the documents with resources, financial or otherwise can be a delicate operation. For example, consider the following:
- Can the business continue to operate without the documents?
- Are third parties affected by the Incident?
- Does the business have the financial resources to pay the ransom?
A business should also consider the impact of payment of a ransomware demand for their business and others. Will payment of a ransom encourage the threat actors? At a micro-level, payment may indicate that your organisation is willing and able to make payments, increasing the chance of repeated targeting. At a macro-level, payment encourages threat actors to continue targeting businesses.
If a decision is made to proceed with the payment of a ransom, businesses should have regard to the mechanics of unlocking encrypted files with decryption keys purchased by virtue of paying a ransom demand. If it is ultimately decided to engage with the threat actors, it is worth considering:
- how quickly they can unlock the encrypted files. Samples should be sent for unlocking.
- whether payment of the demand will result in receipt of a decryption key for all affected data?
- whether the business will have to pay for further keys from the threat actors down the line?
The weight given to each of the above considerations will ultimately vary depending on a number of factors including, but not limited to: the breadth of the incident; the amount of the demand; the urgency of regaining access to documents; and the availability of backups.
Hopefully your business has cyber insurance. If so, it is important to understand the type of cover your business has. This will obviously vary from policy to policy. If the business does have a policy, it is important to consider whether:
- the Insured entity is bound by any obligations in relation to cyber extortion costs and mitigating loss; and
- the relevant policy affords cover for breach coaching (that is, an expert team that assists the Insured entity in responding to the ransomware demand and help coordinate its response to the incident).
Does the incident constitute a ‘notifiable data breach’, as defined under the Privacy Act 1988 (Cth)?
If a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach, the affected organisation must notify:
- the Office of the Australian Information Commissioner; and
- the affected consumers.
Whether or not a ransomware incident gives rise to notification obligations will depend on the circumstances. There are a number of factors that should be considered when determining whether a data breach is likely to result in serious harm including, but not limited to:
- how the threat actors gained access to the system;
- how and if the data was accessed;
- whether the data was uploaded or exfiltrated from the business’s system;
- the nature of any demand by the threat actors; and
- the nature of the data itself.
An expert breach coaching team including privacy specialists can assist the business to determine whether the incident constitutes a notifiable data breach and otherwise assist the business with any notification obligations.